📙
AppSec
  • Overview
  • Write Ups Compilations/Resources
  • Main Resources
  • Labs
  • Cross Site Request Forgery
    • Cross Site Request Forgery (CSRF)
      • Write-ups
      • Source Code Examples
      • Labs
  • Missing Access Controls
    • Missing Access Controls
      • Write-ups
      • Source Code Examples
      • Resources
      • Testing Tips
  • LFI / Directory Traversal
    • Local File Inclusion
      • Local File Inclusion Writeups
      • Source Code Examples
      • Labs
  • XXE
    • XML External Entity (XXE)
      • Write-ups
      • Source Code Examples
      • Labs
      • More Writeups
      • Payloads
      • Resources
  • Injection
    • Command Injection
      • Writeups
    • Server-Side Template Injection
      • Server-Side Template Injection Writeups
      • More Write-ups
      • Source Code Examples
      • Labs
      • Resources
      • Payloads
      • Tools
    • SQL Injection
      • SQLI Write-ups
      • Source Code Examples
      • More Write-ups
      • Labs
      • Resources & Tools
  • SSRF
    • Server-Side Request Forgery (SSRF)
      • SSRF Write-ups
      • Source Code Review
  • Unvalidated Redirects and Forwards
    • Unvalidated Redirects and Forwards
      • Writeups
      • Source Code Examples
  • Verbose Error Messages and Stack Traces
    • Verbose Error Messages and Stack Traces
      • Write-ups
Powered by GitBook
On this page
  • Overview
  • Example

Was this helpful?

  1. Unvalidated Redirects and Forwards

Unvalidated Redirects and Forwards

PreviousSource Code ReviewNextWriteups

Last updated 4 years ago

Was this helpful?

Overview

Unvalidated Redirects and forwards occur when user input is used without filter to redirect the webpage, sending the user to the user supplied URL. By modifying untrusted URL input to a malicious website, an attacker may successfully launch a phishing attack to steal the users credentials. Due to the server name being the same as the original trusted website, phishing attempts have a more valid looking and trustworthy appearance that will pass through email filters and more easily trick users into clicking the link.

For example the URL https://website.com/?urlparameter=<url> where the application uses the urlparameter URL variable input to redirect the user to that URL. Thus entering https://website.com/?urlparameter=google.com would redirect the end user to google.

Example

This example from appsecco's DVNA illustrates a simple invalidated redirect in Node JS. The vulnerable URL is http://127.0.0.1/app/redirect?url=<url>. Entering any URL in the url parameter will redirect the user to that URL: https://127.0.0.1/app/redirect?url=google.com will redirect the user to google.com.

The code that handles this functionality is in /core/apphandler.js. The function takes the request and on line 2 checks if the request has a value for the URL variable, if so it immediately redirects to the URL without any checks or prompts for user awareness. 

module.exports.redirect = function(req,res){
    if(req.query.url){
        res.redirect(req.query.url)
    }else{
        res.send('invalid redirect url')
    }
}

The solution implemented is to use an interceptor page which requires the end user to submit their approval for the URL before the page is redirected.

Unvalidated Redirects and Forwards - OWASP Cheat Sheet Series
https://appsecco.com/books/dvna-developers-security-guide/solution/ax-unvalidated-redirects-and-forwards.htmlappsecco.com
Appsecco DVNA source code example
Logo