🔐
Secure Coding Handbook
  • Secure Coding Handbook
  • Resources
  • Client side
    • Cross-Site Scripting [XSS]
    • Cross-Site Request Forgery [CSRF]
    • Clickjacking
    • Open Redirects
  • Server Side
    • SQL Injections [SQLi]
    • XML External Entity Injection [XXE]
    • OS Command Injection [Command Execution]
    • File Upload
    • Server-Side Request Forgery [SSRF]
    • Host Header Injection
    • Authentication
    • Directory Traversal
    • Template Injection [SSTI]
  • API
    • Broken Object Level Authorization
    • Excessive Data Exposure
    • Mass Assignment
  • Auxiliary
    • Vulnerable Dependency Management
    • Deserialization
    • Logging
  • Solidity
    • Re-Entrancy
Powered by GitBook
On this page
  • 1. Introduction:
  • 2. Typical vulnerable code:
  • 3. Mitigations:
  • 4. Takeaways:

Was this helpful?

  1. Client side

Open Redirects

PreviousClickjackingNextSQL Injections [SQLi]

Last updated 3 years ago

Was this helpful?

1. Introduction:

Insecure redirects and forwards are possible when a web application redirects the request to an URL given by accepts arbitrary input. By modifying the arbitrary URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials, and much more. For more information regarding this, from an attacker's perspective, .

2. Typical vulnerable code:

The typical vulnerable code takes in some url parameter to which it redirects the user.

<?php
...
$redirect_url = $_GET['url'];
header("Location: " . $redirect_url);
...
?>
...
response.sendRedirect(request.getParameter("url"));
...

3. Mitigations:

The rule of thumb that you have probably noticed by now, should you have read through all other topics, is the fact that every developer has to VALIDATE their input! Input validation and filtering are the techniques of protecting against any kind of user-available-input exploitation.

In this scenario, however, input validation is not even needed. Since a developer typically knows where they have to redirect the user to, there is no longer a need for the url parameter that can be exploited. We can just hardcore it :)

On the Java tab of the following code brick you will find a way to not hardcore the url itself, but to construct it instead.

<?php

/* Redirect the browser. */
header("Location: http://www.bobi.io");

/* Exit to prevent the rest of the code from executing. */
exit;

?>

// build the redirectURL based on the hostname lookup
StringBuilder redirectUrl = new StringBuilder()
    .append(request.getScheme())
    .append("://")
    .append(InetAddress.getLoopbackAddress().getHostName())
    .append(request.getContextPath()
);

//
response.sendRedirect(redirectUrl);

4. Takeaways:

Safe use of redirects and forwards can be done in a number of ways:

  • Simply avoid using redirects and forwards.

  • If used, do not allow the URL as user input for the destination.

  • If user input can’t be avoided, ensure that the supplied value is valid, appropriate for the application, and is authorized for the user.

  • Sanitize input by creating a list of trusted URLs (lists of hosts or a regex).

    • This should be based on an allow-list approach, rather than a block list.

  • Force all redirects to first go through a page notifying users that they are going off of your site, with the destination clearly displayed, and have them click a link to confirm.

You can find more details about this topic here:

you can read this
Open redirection (reflected)
Insecure URL Redirect
Unvalidated Redirects and Forwards