Open Redirect



Description

Many web applications use URL redirection to direct a user to another site or page on the same site. Some web sites make it possible to manipulate the destination of the URL redirection. An attacker might be able to abuse this functionality to trick users into entering sensitive information into a malicious website while seemingly navigating within a trusted website. This vulnerability applies to all applications that use URL redirection.

Impact

Open redirects allow an attacker to send users to a malicious site via a legitimate-looking URL. Many users are tricked by the legitimate-looking URL into thinking that they are browsing a trusted site. The malicious site might have an authentic looking login page, which tempts unsuspecting users into entering their usernames and passwords. When personal information is entered into the malicious login page, it is recorded for the attacker's use. Once the attacker has valid user credentials, they can access or modify users' data in the application. If the attacker is able to take over an administrative account, they might gain full control of the application.

Countermeasures

To prevent this problem, avoid using redirects altogether, if possible. If redirects are necessary, avoid redirection based on user input if possible. If user input is necessary for redirects, use reference maps to limit permissible redirect destinations, and always validate destinations of redirects.

The choice depends on how much user input is required to determine where to redirect to. The less user input, the safer the application. If redirection takes place regardless of user input, destinations can be calculated without user input. If user input is necessary, ensure that there is a clearly defined list of valid redirection targets, and use these to build reference maps to limit permissible redirect destinations, and always validate the destinations. NOTE: If valid targets cannot be reduced to a list of safe destinations, then an open redirect vulnerability is virtually guaranteed and it's better not to redirect at all.

If redirection can be calculated without user input:

If user input is necessary, and it is possible to clearly define valid redirection targets:

Application Check

To check for adequate protection against this problem, choose the application checks below that fit the above Countermeasures strategy you have chosen: Ensure that redirects are not used. OR Ensure that redirection is not based on user input. OR If user input is needed, ensure that reference maps are used to limit permissible redirect destinations, and always validate the destinations of redirects.

If redirects can be calculated without user input:

If user input is necessary, and it is possible to clearly define valid redirection targets:

Computer Based Training Links

Use the following Computer Based Training course(s) for more background information about this type of vulnerabilities.

OWASP Top Threats & Mitigations

This course examines in depth the vulnerabilities, threats, and mitigations described in the OWASP Top 10 2013. Upon completion of this class, participants will be able to identify and mitigate the greatest threats that web application developers face, including: Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, and Unvalidated Redirects and Forwards.

DES 221 OWASP Top Threats & Mitigations

Valid login credentials and enrollment in the course itself are required to access Team Professor content. If you need login credentials, please contact support@securityinnovation.com for help.

!Have a comment about this article? Send our team an email.