Unvalidated Redirects and Forwards

Overview

Unvalidated Redirects and forwards occur when user input is used without filter to redirect the webpage, sending the user to the user supplied URL. By modifying untrusted URL input to a malicious website, an attacker may successfully launch a phishing attack to steal the users credentials. Due to the server name being the same as the original trusted website, phishing attempts have a more valid looking and trustworthy appearance that will pass through email filters and more easily trick users into clicking the link.

For example the URL https://website.com/?urlparameter=<url> where the application uses the urlparameter URL variable input to redirect the user to that URL. Thus entering https://website.com/?urlparameter=google.com would redirect the end user to google.

Example

This example from appsecco's DVNA illustrates a simple invalidated redirect in Node JS. The vulnerable URL is http://127.0.0.1/app/redirect?url=<url>. Entering any URL in the url parameter will redirect the user to that URL: https://127.0.0.1/app/redirect?url=google.com will redirect the user to google.com.

The code that handles this functionality is in /core/apphandler.js. The function takes the request and on line 2 checks if the request has a value for the URL variable, if so it immediately redirects to the URL without any checks or prompts for user awareness.

module.exports.redirect = function(req,res){
    if(req.query.url){
        res.redirect(req.query.url)
    }else{
        res.send('invalid redirect url')
    }
}

The solution implemented is to use an interceptor page which requires the end user to submit their approval for the URL before the page is redirected.

Unvalidated Redirects and Forwards - OWASP Cheat Sheet Seriescheatsheetseries.owasp.org

https://appsecco.com/books/dvna-developers-security-guide/solution/ax-unvalidated-redirects-and-forwards.htmlappsecco.com

Appsecco DVNA source code example