Understanding and Finding Open Redirects

An Open Redirect is a vulnerability in a web application that allows an attacker to redirect a user to an arbitrary website. At first glance, this might not seem harmful, but with a malicious intent, it can be used as part of phishing attacks, malware distribution, or to bypass access controls. It might not be the most sophisticated vulnerability out there, but it certainly has severe implications if overlooked.

Phishing attacks often use open redirects to lead users to fake login pages where their credentials can be stolen. Similarly, during malware distribution, users are led to a malicious site that may automatically download malware onto their device. Open redirects can also be used to bypass same-origin policy restrictions in web applications, potentially exposing sensitive information.

The most concerning aspect of open redirects is their ability to maintain a guise of trust. Users trust links from reputable websites. When this trust is abused, the vulnerability becomes a powerful tool for deception.

An Open Redirect Example

Let’s assume you’re visiting an e-commerce website named ‘tcm-shop.com’.

1. You notice that after successful login, the website redirects you to a welcome page. The URL looks like this: https://www.tcm-shop.com/login?redirect=https://www.tcm-shop.com/welcome. Here, the ‘redirect’ parameter in the URL seems to control where you are redirected after login.
2. You decide to test whether the website is vulnerable to an open redirect attack. You change the URL to: https://www.tcm-shop.com/login?redirect=https://www.evil.com and then log in.
3. After login, instead of being redirected to the welcome page of ‘tcm-shop.com’, you are redirected to ‘evil.com’. This confirms that the ‘redirect’ parameter in the URL doesn’t validate or restrict the input, hence, it’s an open redirect vulnerability.

This vulnerability can be exploited by a malicious actor who could send an email pretending to be from ‘tcm-shop.com’ asking users to log in for some reason (e.g., account verification, exciting offers). The email contains a link which looks legitimate, but the ‘redirect’ parameter in the URL has been changed to a malicious site. The user, thinking they’re logging into ‘tcm-shop.com’, actually gets redirected to the attacker-controlled site.

Testing for Open Redirects

Detecting open redirects can sometimes be trivial, but other times tricky.

1. Identify User-Controlled URLs: In your application, identify functionalities that direct to other URLs. This could be in login redirects, banner click-throughs, or any part of your application where the URL is a parameter in a request.
2. Check for Redirection: Once you’ve identified user-controlled URLs, check whether the application performs redirections to the supplied URL without validation. This is the primary indicator of an open redirect vulnerability.
3. Test for Scheme-less URLs: Many applications only check if a URL starts with “http”. However, an attacker can use a scheme-less URL, i.e., //evil.com, which browsers interpret as a relative URL. Hence, test with various URL schemes.
4. Encode Special Characters: Applications often block URLs with special characters. To bypass this, try URL-encoded versions of special characters (e.g., %2F instead of a slash).
5. Try Different Formats: Experiment with different URL formats. Some applications might not validate or correctly handle new formats like the internationalized domain names.
6. Use a URL shortening service: Some applications validate that the URL domain matches the expected domain. By using a URL shortening service, an attacker could bypass such checks.

Common Mitigations Against Open Redirect Attacks

1. Avoid Redirections when Possible: The most straightforward mitigation strategy is to avoid using redirects unless absolutely necessary. Less complexity typically equates to fewer vulnerabilities.
2. Input Validation: If redirection is a must, ensure the target URL is valid and trusted. Use an allowlist for allowable domains to limit redirection to only known, trusted websites.
3. Same-Site Redirections: Limit the application to only redirect to links within the same site or domain.
4. Tokenization: Implement a user confirmation token system. Before performing the redirect, the system generates a unique token for the user’s session and appends it to the redirect URL. On the redirected page, the system checks the token against the user’s session. If they don’t match, the redirect is rejected.
5. User Awareness: Users should be educated about the potential risks of clicking on unexpected links, even if they seem to come from trusted sources.
6. Security Headers: Use HTTP security headers, like Content Security Policy (CSP), to control which domains the browser should consider as valid sources of executable scripts.

About TCM Security

TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.

Pentest Services: https://tcmdev.tcmsecurity.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com

See How We Can Secure Your Assets

Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.

tel: (877) 771-8911 | email: info@tcm-sec.com