by Stuart Rorer

Open Redirection

Whenever I think of open redirection, I think of Super Mario games and the green plumbing pipes. By hopping into one I can easily transport Mario to some other, usually enemy laden, area. Redirections exist within web applications as well. The primary purpose is to transport the user to a specific area based off a certain criteria.

Similar redirections can occur for many reasons in web applications, whether to send the user to a more updated version of a page, a reaction to some form of dynamic input, or even because multiple applications are at play and redirections are used to work between them.

Problems

However, problems can occur if redirections are not implemented correctly. For example, one of the most common forms of exploitation is to redirect a user to an area that is attacker controlled. The attacker could use this for purposes of phishing, or even to direct the user to a site that could contain malware, or even a zero-day browser exploit.

How to Find It

There are many ways to look for open redirections. It is important to search for specific response codes, query strings, and even the source code within responses and associated JavaScript files.

Using Burp’s search feature, you can look for specific strings. The image below shows an example search for the string “url=”.

Some of the things I like to search for are the following.

Response headers can often indicate that a redirect is occurring. Below are some of the ones I check for.

Response Headers

· HTTP/1.1 301 Moved Permanently
· HTTP/1.1 302 Found
· HTTP/1.1 307 Temporary Redirect
· HTTP/1.1 308 Permanent Redirect
· Location:
· Refresh: 0; url=

It’s also worthwhile to check for common strings that may point toward a possible redirection.

Search Strings

· "Location:"
· “url=”
· "Refresh:"

Don’t forget to look within source code for potential redirects. Burp will sometimes pick up on these and alert you.

JavaScript Searches:

window.location =
window.location.href =
document.location =
.location =

Sometimes redirections are fairly easy to find, as shown in the image below where the parameter is within the URL.

How to Abuse It

If you find a redirection, the next step is testing to see if it is an open redirection is allowing us to send a user to an arbitrary URL of our choice. If the application is configured in a more secure manner, it should block us from trying to provide an URL of our own. I’ll demonstrate using a very simplified example.

The first step is capturing the redirect within a proxy interceptor, such as Burp Proxy. Let’s return to our original example.

We can send this request to the repeater and modify the “url” parameter as shown below.

If we are successful, we should be redirected to our modified URL. As you can see below, we have received a 302 Found, which is redirecting us to:
https://www.redsiege.com

The page is successfully rendered in our browser.

Again, keep in mind that redirects won’t always be as easily spotted, and can be found in the POST body, and many other areas as well. Being able to modify the URL as easily can also vary. If the redirection is within source code, for example, you will need to find a way to inject your arbitrary URL.

How to Use It

How to effectively use these will depend on where the redirection is found. One of the easiest ways to use redirection is when it is found within the URL. Our example above demonstrates that, but think of how that could be used for a successful phishing attack? People will often just look at the base domain when verifying a link, especially if the URL is exceedingly long. Using redirection in the URL can be a potent way of redirecting a user to a place of your choosing. If the redirect is in a POST request, its gets a bit more tricky, and will require a bit more construction and creativity on the attacker side to work.

Conclusion

Even though this was a simplified example, open redirections can definitely become an issue. If they are not restricted, they can easily be used by an attacker to trick a user into going to an area they control. The best protection is to limit the use of redirections and to apply proper restrictions so that they cannot be manipulated to send a user outside of intended area.

About Stuart Rorer, Security Consultant

Stuart has worked in the IT Industry for more than twenty years and has worked within Cyber Security for the past twelve. In the past he has held jobs in the education, government, and private sector, and for the last few years has specialized in web application penetration testing. Stuart has performed testing on clients in all sectors, many of which have been in the Fortune 500. He enjoys spending time in research and exploring new penetration testing tactics, and techniques.

Certifications:

CPT, ECPPT, ECSA, CEH, SEC+