Open redirect

What is it?

An Open Redirect Vulnerability allows an attacker to redirect a user to an arbitrary website of the attacker's choosing. It occurs when an application incorporates user-supplied data into a URL which causes a redirection to that URL. This can be used to facilitate phishing attacks, steal sensitive information, or perform other malicious activities.

A simple example

Consider a website that uses a URL parameter to redirect the user to a specified page. For example: http://website.com/redirect?site=http://some-site.com. An attacker could replace "http://some-site.com" with a malicious site, then trick a user into following the crafted link.

Open Redirects can lead to: Phishing attacks Disclosure of sensitive information Malware installation Execution of arbitrary scripts

Other learning resources: OWASP: https://owasp.org/www-community/attacks/Unvalidated_Redirects_and_Forwards PortSwigger: https://portswigger.net/web-security/unvalidated-redirects

Checklist

• Does the application use redirection functions that include user-supplied input?

• Are redirects implemented without validation of the target URL?

• Can an attacker manipulate the redirection URL to point to an arbitrary domain?

• Does the application append user-supplied input into the URL causing the redirection?

Exploitation

Craft an URL with redirection to a malicious site

http://website.com/redirect?site=http://malicious-site.com

Trick the user into clicking the link

"You've won a prize! Click here to claim: http://website.com/redirect?site=http://malicious-site.com"