Which of the following is a way to detect unvalidated redirects and forwards?

Unvalidated Redirects and Forwards

Improve Article

Save Article

Like Article

• Last Updated : 14 Jun, 2022

Improve Article

Save Article

Unvalidated Redirects and Forward Vulnerability, also sometimes referred to as URL Redirection Vulnerability, is a type of bug found in the Web Application. In this type of vulnerability, the attacker uses to manipulate the URL and sends it to the victim. As soon as the victim opens the URL, the website redirects it to a malicious website or website to which the attacker wants the user to get redirected. The attacker generally uses to exploit this type of Vulnerability with the help of manual manipulation in the URL or with the help of several tools like Burpsuite, which gives an attacker several types of ways due to which he can manipulate the URL to get Redirected. 

How does URL Redirection work?

First of all, we need to get a brief idea about the HTTP Response Codes. So here are the response codes: 
 

• 1×× Informational
• 2×× Success
• 3×× Redirection
• 4×× Client Error
• 5×× Server Error

The above HTTP Status code tells us about the response that we receive from a website. So for URL redirection, generally, 3xx Codes are redirection codes that say to the user that this URL is going to get redirected to some other page. The attacker takes advantage of this and tries to inject their payloads or manipulate the URL to send the victim to their malicious website. Below is the screenshot of the Burpsuite via which an attacker can add filters and can find out specific URLs having 3xx codes. 

The above image is only showing those URLs which have a 3xx code. Now we have to check the specific parameters in the URL, for example (dest, redirect, url, path, continue, URL, navigation), etc. The URL would be somewhat like this https://www.xyz.com/continue=www.xyz.com/abc. So the attacker removes the entire URL after “Continue” and adds his phishing page URL, which might be as an exact copy of the original webpage. 

Step by Step Working of Attack – 

1. Attacker Intercept the request of URL in Burpsuite.
2. Send the request to Spider.
3. Check for the parameters & when found, send the request to the repeater tab.
4. Attacker Choose the target location, where to apply your payload.
5. Start attack.

By following the above steps, an attacker will get the list of particular URLs where the website is successfully redirected. 

Unvalidated redirects and forwards, also referred to as Open Redirect, is featured on OWASP‘s list of the ten most common vulnerabilities. OWASP is a non-profit organization with the goal of improving the security of software and the internet. We cover their Top 10 list one by one in our OWASP Top 10 blog series. 

Description

Unvalidated redirect vulnerabilities occur when an attacker is able to redirect a user to an untrusted site when the user visits a link located on a trusted website. This vulnerability is also often called Open Redirect.

Prevalence

Unvalidated redirects and forwards were ranked as uncommon both in 2010 and 2013 when OWASP graded vulnerabilities in their top ten list.

However, even if the prevalence of this vulnerability is considered low in general over the internet, one could not look at the resources or popularity a site has to determine if it is likely to be vulnerable. One of the companies that do not classify this as a vulnerability is Google, while Facebook, for example, does. It would therefore not be strange to find an unvalidated redirect on Google’s domain, while Facebook would pay a bug bounty for the same thing on their domain.

Potential impact

The potential danger of Unvalidated Redirects and Forwards is not to be considered as that serious. The most common use case are phishing attacks or others that also involve Social Engineering, which lowers the potential impact of the vulnerability.

It also happens that this is part of an chained attack, where it is only one in a chain of multiple vulnerabilities used. This type of attack is more advanced and therefore not as common.

Exploitability

In most cases, this vulnerability is very easy to exploit, which increases the likelihood of someone finding and abusing it.

There have, of course, been cases where it has been much harder to exploit, but as the impact is not that great, the time used to look for the vulnerability is limited. This means it is mainly the easier cases of Unvalidated Redirects and Forwards that are discovered and exploited.

Well-known events

There have not been any public attacks where this vulnerability has played a great part. It is possible that something like that has happened in the past, but as most serious uses of this vulnerability involve social engineering, companies are rarely that generous with reporting attacks.

How to discover Unvalidated Redirects and Forwards

• Look at the code for every place that utilizes a redirect. If there is no kind of whitelist for the URL being redirected, the site is probably vulnerable.

• Crawl the site and save all pages that generate a redirect. If a parameter is changed, is the URL redirected to that as well? Again, if no whitelist seems to be implemented here the site is most likely vulnerable.
• Manually looking around and investigating all parameters that can be suspected to have something to do with redirects may feel like a waste of time, but can actually generate better results than one might expect.

How Detectify can help

We provide a quick and easy way to check whether your site passes or fails OWASP Top 10 tests. Detectify is a web security scanner that performs fully automated tests to identify security issues on your website. It tests your website for over 700 vulnerabilities, including OWASP Top 10, and can be used on both staging and production environments. Sign up for a free trial to find out if you are vulnerable » 

Code example of vulnerable application

Let us assume there is a file (router.php) on the website responsible for internal redirects. A normal request would look something like this:

https://example.com/router.php?url=forum.php

The code for that script is the following:

However, as there are no checks whether the URL really is internal or external an attacker would be able to conduct a URL like this as well:

https://example.com/router.php?url=https://phishing.com

Remediation

There are a few possible ways to remediate this issue.

• Try to avoid redirects altogether. In most cases, they are not needed.
• If a redirect is necessary, do not trust user input for its destination.
• Map the destination input to a value that the server then translates to the original value before doing the redirect. This prevents the attacker from changing it.
• Have a whitelist of URLs – this can be done with regex if necessary. Be careful with this as it is easy to make mistakes without realizing.

If none of the above is possible, force all redirects to a page where the user will have to click a button to confirm they are leaving the trusted site.

What are unvalidated redirects and forwards?

Which is most likely to result from invalidated redirects and forwards?

What mitigations work against unvalidated redirect attacks?

Why is it important to validate redirects and forwards?