While it is no longer in the OWASP 2017, open redirect is still a reoccurring issue. An example of an open redirect to get you excited https://duckduckgo.com/l/?kh=-1&uddg=https://tinyurl.com/bestwriteupever
What is an open redirect?
“Open redirects are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input.” OWASP
A simple example of an open redirect would be https://example.com/login?next=https://attacker.com. When a user successfully logs in on example.com, instead of being redirected to his dashboard or profile he will be send to attacker.com.
For some more in-depth information about open redirect, go and watch the excellent video below by @PwnFunction where he explains what an open redirect is and what can go wrong.
Some key takeaways:
- A user can easily be mislead to a phishing page
- Open redirect in a login or password reset might lead to account takeover
- Open redirect can be powerful when used to chain bugs
- When you find an open redirect, check if SSRF or XSS is possible
After watching the video we hope you have a better idea of what open redirect is all about. Below you can find a summary of different attack scenarios.
Should I submit an open redirect?
The most common use case is the redirection to a malicious website. When this is the only attack scenario, most companies won’t accept a submission like that. When hunting on intigriti, plain open redirects are out of scope unless otherwise specified in the “In Scope” section or if they show a bigger impact like shown in the write-ups below.
A working example of an open redirect which is not considered an issue:
- https://www.google.com/search?btnI&q=allinurl:https://www.youtube.com/watch?v=o1eHKf-dMwo Google’s opinion on open redirect
The thing our triagers love the most after a great PoC is showing the impact of a bug.
Found an open redirect? See if you can trigger XSS.
How an open redirect can also be XSS (by Sergey Bobrov on Twitter)
When there is an open redirect in the login process, you should definitely check if sensitive tokens (like JWT or OAuth) or other sensitive data is send with the request.
A tutorial by security researcher zseano explaining how it is possible to steal Facebook OAuth Tokens and giving some tips & tricks about open redirect and how to find them
Stealing a JWT token via open redirect (by Guarav Narwani)
Use them to chain bugs and increase the impact
A great example of using an open redirect to chain bugs. (by Tomasz Bojarsk on Google)
Combining 2 low vulnerabilities to an authentication bypass (by Arne Swinnen on Airbnb)
Time for practice
BugBountyNotes, a platform created by security researcher zseano, has 2 challenges on open redirect.
- Can you bypass the Open URL redirect filter? “Try not to overthink this one. Even though a website sometimes tell you how a function SHOULD function, sometimes it doesn’t always do that. Look at what request is being sent, and can anything be done with that parameter?”
- Our redirect blacklist is top-notch, right? “We built a secure redirect system, to redirect from our website to our application. There is not a way to bypass this, right?”
A while ago, we also made a challenge. If you haven’t found it already, go and find the open redirect!
How to prevent open redirect?
Because we also care about the web developers 😉
- Disable it if it is not needed or avoid the problem entirely by implementing an alternative design
- Validate the URL by using a whitelist of URLs
- Show a warning when a user is redirected to an (un)trusted domain (example: https://www.google.com/url?rct=j&url=https%3A%2F%2Fwww.intigriti.com%2F)
Can’t get enough of open redirect? Check out this cheat sheet by Pentester Land
A blog post by Steve Tabernacle on “Open redirects – the vulnerability class no one but attackers cares about”
Detectify blog post about “The real impact of an Open Redirect”