Source Code Examples

The source code examples below come from vulnerable web applications such as OWASP Juice Shop.

OWASP Juice Shop (Node.js)

The Juice Shop application is vulnerable to open redirect on the redirect route http://localhost:3000/redirect?to= , the to URL parameter is vulnerable. Entering in a payload with a URL that contains it's own URL parameter that contains a URL from the built in allow-list exploits the vulnerability:

http://localhost:3000/redirect?to=http://evil.com/?pwned=https://github.com/bkimminich/juice-shop

Any user that clicks that link will be sent to evil.com. This bypasses the allow-list functionality built into the code. The code that handles that route request is redirect.js. The performRedirect function calls isUnintendedRedirect function on line 11 using a return statement. This function uses the redirectAllowlist from the insecurity.js file which is a JavaScript Set Object that contains values for the allowed domains. On line 22 the function loops over the redirectAllowList and checks whether user supplied URL (toUrl) starts with any of the allowed URL's.

const utils = require('../lib/utils')
const insecurity = require('../lib/insecurity')
const challenges = require('../data/datacache').challenges

module.exports = function performRedirect () {
  return ({ query }, res, next) => {
    const toUrl = query.to
    if (insecurity.isRedirectAllowed(toUrl)) {
      utils.solveIf(challenges.redirectCryptoCurrencyChallenge, () => { return toUrl === 'https://explorer.dash.org/address/Xr556RzuwX6hg5EGpkybbv5RanJoZN17kW' || toUrl === 'https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm' || toUrl === 'https://etherscan.io/address/0x0f933ab9fcaaa782d0279c300d73750e1311eae6' })
      utils.solveIf(challenges.redirectChallenge, () => { return isUnintendedRedirect(toUrl) })
      res.redirect(toUrl)
    } else {
      res.status(406)
      next(new Error('Unrecognized target URL for redirect: ' + toUrl))
    }
  }
}

function isUnintendedRedirect (toUrl) {
  let unintended = true
  for (const allowedUrl of insecurity.redirectAllowlist) {
    unintended = unintended && !utils.startsWith(toUrl, allowedUrl)
  }
  return unintended
}

//redirect.js
//https://github.com/bkimminich/juice-shop/blob/master/routes/redirect.js

On line 60 in the /lib/utils.js file, the utils.startsWith function simply checks whether the user supplied input (str) matches the allowedUrl( prefix).

exports.startsWith = (str, prefix) => str ? str.indexOf(prefix) === 0 : false

Extremely Vulnerable Web App (XVWA) (PHP)

The XVWA is vulnerable to open redirect on the following route http://localhost/xvwa/vulnerabilities/redirect/redirect.php?forward=https://www.google.com/

Any user that clicks that link will be sent to https://google.com.

The source code takes the forward URL parameter from the HTTP GET request. It only checks if the string length is greater then 0, then sets the value of the forward variable to the HTTP Header Location value. There are no checks to determine if the redirect to that domain should be allowed.

//https://github.com/s4n7h0/xvwa/blob/master/vulnerabilities/redirect/redirect.php

<?php 
	if (isset($_GET['forward'])){
		$forward=$_GET['forward'];
		if (strlen($forward)>0){
			header("Location: ".$forward);
		}
	}
?>