search
GitHubTwitterExegolTools

ORED Open redirect

hashtag
Theory

Many web applications make redirections based on parameters that users can easily control, like GET parameters. When the application fails to properly check and filter these inputs, they can be vulnerable to Open Redirect where attacker can redirect users to a malicious website. Open Redirect vulnerabilities are exploited in phishing attacks to redirect users from a trusted website to an attacker-controlled one. In well executed attacks, most of the users would not notice it without carefully looking at the URL to see the difference.

Open Redirect vulnerabilities are usually found when browsing a page, being asked to log in, and then being redirected to the original page when logged in. These mechanisms greatly improve the UX (user experience) but when they are badly implemented, they can lead to vulnerabilities from low to medium severity.

hashtag
Practice

Testers need to find inputs vectors used by the website for redirections. They usually are GET parameters with string values that are sometimes base64 encoded like:

Testers can then try to replace those values with different URLs and analyze de redirection.

Some bugbounty tools like waybackurlsarrow-up-right (Go), hakrawlerarrow-up-right (Go) and gfarrow-up-right (Go) can help find vulnerable endpoints.

cat subdomains | waybackurls | tee -a urls
cat subdomains | hakrawler -depth 3 -plain | tee -a urls
gf redirect urls

Using redirect.json with gf like:

{
    "flags" : "-HanrE",
    "pattern" : "url=|rt=|cgi-bin/redirect.cgi|continue=|dest=|destination=|go=|out=|redir=|redirect_uri=|redirect_url=|return=|return_path=|returnTo=|rurl=|target=|view=|from_url=|load_url=|file_url=|page_url=|file_name=|page=|folder=|folder_url=|login_url=|img_url=|return_url=|return_to=|next=|redirect=|redirect_to=|logout=|checkout=|checkout_url=|goto=|next_page=|file=|load_file="
}
circle-info

Redirections can be header based (location header sent from the server), or Javascript based (will not work fro server-side functions, but could redirect to javascript:something() and cause an XSS).

circle-exclamation

The impact of this vulnerability is debated. Open redirects can help in phishing attacks but in some cases, it could help exploit an XSS, a SSRF or a CSRF, hence increasing the impact.

hashtag
Resources

https://s0cket7.com/open-redirect-vulnerability/s0cket7.comchevron-right
LogoOpen redirection (reflected)portswigger.netchevron-right
LogoOpen redirection (stored)portswigger.netchevron-right
LogoDOM-based open redirection | Web Security AcademyWebSecAcademychevron-right
Open Redirection Guide0x00sec - The Home of the Hackerchevron-right
LogoPayloadsAllTheThings/Open Redirect at master · swisskyrepo/PayloadsAllTheThingsGitHubchevron-right
PreviousIDOR (Insecure Direct Object Reference)NextContent-Type juggling

Last updated

Was this helpful?