DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

The software you build is only as secure as the code that powers it. Learn how malicious code creeps into your software supply chain.

Apache Cassandra combines the benefits of major NoSQL databases to support data management needs not covered by traditional RDBMS vendors.

Generative AI has transformed nearly every industry. How can you leverage GenAI to improve your productivity and efficiency?

Modernize your data layer. Learn how to design cloud-native database architectures to meet the evolving demands of AI and GenAI workloads.

Related

  • Agentic AI for Automated Application Security and Vulnerability Management
  • On SBOMs, BitBucket, and OWASP Dependency Track
  • Building Secure Containers: Reducing Vulnerabilities With Clean Base Images
  • A Practical Approach to Vulnerability Management: Building an Effective Pipeline

Trending

  • AI’s Role in Everyday Development
  • Article Moderation: Your Questions, Answered
  • Building Resilient Identity Systems: Lessons from Securing Billions of Authentication Requests
  • How to Perform Custom Error Handling With ANTLR
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. What Is an Open Redirection Vulnerability and How to Prevent it?

What Is an Open Redirection Vulnerability and How to Prevent it?

This type of vulnerability can lead to phishing attacks and all kinds of nasty not niceness. Read on to see how to prevent it.

By 
Sven Morgenroth user avatar
Sven Morgenroth
·
Jan. 08, 18 · Tutorial
Likes (2)
Comment
Save
Tweet
Share
92.3K Views

Join the DZone community and get the full member experience.

Join For Free

An Open Redirection is when a web application or server uses a user-submitted link to redirect the user to a given website or page. Even though it seems like a harmless action, to let a user decide on which page he wants to be redirected to, if exploited such a technique can have a serious impact, especially when combined with other vulnerabilities and tricks.

How Can an Open Redirect Web Vulnerability be Exploited?

Abusing the Trust Users Have in the Vulnerable Website

Since the domain name in a URL is typically the only indicator for a user to recognize a legitimate website from a non-legitimate one, an attacker can abuse this trust to exploit an open redirect vulnerability on the vulnerable website, and redirect the user to a malicious page to execute further attacks, as explained in the following sections.

Exploiting an Open Redirect Vulnerability for a Phishing Attack

When the user clicks on a link of a legitimate website he often won't be suspicious if suddenly a login prompt shows up. To launch a successful phishing attack the attacker sends the victim a link, for example via email, which exploits the vulnerability on the vulnerable website example.com:

https://example.com/redirect.php?go=http://attacker.com/phish/

By exploiting the open redirect vulnerability on the legitimate website, the attacker is redirecting the victim to, http://attacker.com/phish which is a phishing page that is similar to the legit website. Once the visitor is on the attacker's malicious website, he enters his credentials on the login form which points to a script that is controlled by the attacker. The script is typically used to save the username and the password that is being typed in by the victim, which attackers typically use at a later stage to impersonate the victim on the legitimate website.

The probability of a successful phishing attack is quite high since the domain example.com is shown when the user clicks on the link.

Exploiting an Open Redirect Vulnerability to Redirect Victims to Malicious Websites

It is also possible to redirect an otherwise careful internet user to a site hosting attacker-controlled content, like a browser exploit or a page executing a CSRF attack. As above, the chances that the victim clicks the link are higher if the site the link points to is trusted by the victim. An example is an open redirect in a trustworthy page like a banking site, that directs the victim to a page with a CSRF exploit against a vulnerable WordPress plugin.

Exploiting an Open Redirection Vulnerability to Execute Code

Redirecting to JavaScript: URIs

An open redirection vulnerability in a web application can also be used to execute an XSS payload by redirecting to JavaScript: URIs. Those can be used to directly execute JavaScript code in the context of the vulnerable website. An example would be this:

https://example.com/index.php?go=javascript:alert(document.domain)

The above would show an alert window with the content from example.com. However, in most modern browsers this only works when the redirection is JavaScript based. That means that a location header with javascript: will not execute the code and might show an error message instead.

Another URI scheme that's useful for an attacker is data:. While this does not work in WebKit-based Browsers like Google Chrome or Opera anymore, in Mozilla FireFox the attacker can still redirect to it. What this does is write data directly to the browser window, which could ease the process of creating phishing pages, even without using a web server to host them.

What Is the Impact of an Open Redirection Vulnerability?

As mentioned above, the impacts can be many, and vary from theft of information and credentials, to the redirection to malicious websites containing attacker-controlled content, which in some cases even cause XSS attacks. So even though an open redirection might sound harmless at first, the impacts of it can be severe should it be exploitable.

How Can You Prevent Open Redirection Vulnerabilities?

The easiest and most effective way to prevent vulnerable open redirects would be to not let the user control where your page redirects him to. If you have to redirect the user based on URLs, you should always use an ID which is internally resolved to the respective URL. If you want the user to be able to issue redirects you should use a redirection page that requires the user to click on the link instead of just redirecting them. You should also check that the URL begins with http:// or https:// and also invalidate all other URLs to prevent the use of malicious URIs such as javascript:.

Vulnerability Classification and Severity Table

Classification ID / Severity
OWASP 2013 A10
CWE 601
WASC 38
CVSS:3.0
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Netsparker Medium
Vulnerability

Published at DZone with permission of Sven Morgenroth, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • Agentic AI for Automated Application Security and Vulnerability Management
  • On SBOMs, BitBucket, and OWASP Dependency Track
  • Building Secure Containers: Reducing Vulnerabilities With Clean Base Images
  • A Practical Approach to Vulnerability Management: Building an Effective Pipeline

Partner Resources

×

Comments

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends: