Open redirect

Improper validation of front-end provided redirect links

Open redirect: the basics

What is an Open redirect?

An open redirect vulnerability occurs when an application allows a user to control a redirect or forward to another URL. If the app does not validate untrusted user input, an attacker could supply a URL that redirects an unsuspecting victim from a legitimate domain to an attacker’s phishing site.

Attackers exploit open redirects to add credibility to their phishing attacks. Most users see the legitimate, trusted domain, but do not notice the redirection to the phishing site.

Although this vulnerability doesn’t always directly impact the legitimate application, the company's reputation can be negatively impacted. In addition, open redirects may not seem like a high impact on the organization itself, it’s important to avoid damaging the trust users have in the business. It’s worth noting, an open redirect in your own site may very well be used against your own employees!

About this lesson

During this lesson, we will learn how open redirects work, why they work, and how to prevent them in your application. We’ll look at how a vulnerable application can be abused to collect some credit card details. After that, we’ll look under the hood at the code that made this possible. We will then update the code to fix the vulnerability.

Fun fact

Hackers spend $$$ abusing redirects

A highly sophisticated phishing campaign was identified in 2020 with a very interesting use of open redirects. The attackers used over 350 unique domains to host their phishing sites, which were automatically generated using a domain-generation algorithm (DGA). The scale and effort put into the infrastructure of this attack indicates that open redirect abuse can be very profitable!

Open redirect in action

Try now

Hacking a social app

Music fanatic and struggling DJ, Josie has woken up in the morning and is checking her emails. She finds an amazing offer in her inbox, her favorite music streaming service is on sale! Normally, MusiqueAimer is a $60 per month subscription but for a very limited time is only $10 a month.

Josie clicks the link in the email and is directed to the MusiqueAimer login page. She logs in and is then asked to enter her credit card details to process the new subscription. She enters all her details but is disappointed as a banner displays, “Sorry, you are not eligible for this deal” and is redirected to the homepage.

Later that week, Josie checks her credit card balance and finds numerous transactions she hadn’t made!

In this tutorial, we’re going to step into the shoes of the attacker who sent Josie the email, and find out how her credit card details were compromised.

www.musiqueaimer.com/login?redirect_url=/profile

MusiqueAimer’s Open Redirect Vulnerability

Visiting the MusiqueAimer login page, we can see in the URL that there is a parameter called “redirect_url”. It appears that after making a login request, we’re redirected to the profile page.

www.musiqueaimer.com/login?redirect_url=/profile

We can test the redirect by logging in with our own credentials. Log in by using the username “h@kur” and password “12jdz#1aBy”. Notice that we’re redirected to our profile page.

Now, try replacing the ‘/profile’ string with another URL and logging in again.

www.musiqueaimer.com/login?redirect_url=https://www.youtube.com/watch?v=dQw4w9WgXcQ

Notice that you were redirected to the URL that you supplied? This indicates that this redirect is vulnerable!

Open redirect under the hood

What happened?

When we edited the redirect_url parameter and sent it to Josie, the legitimate application redirected her to our phishing page after she signed in. Since there is no validation of the URL, anyone can arbitrarily provide whatever URL they like.

Josie didn’t even notice the redirect to our phishing page because it looks exactly like the legitimate MusiqueAimeers website. Even if she checked the URL, it probably wouldn’t have raised concern since they are very similar. So, without any worries raised, Josie entered her credentials into our site where we were able to capture them. After presenting her with a seemingly legitimate reason as to why we couldn’t provide a discount, she was redirected to her home page. I’m sure she would be upset about not getting a discount, but she didn’t expect that she’d actually just lost her money!

Using open redirects for phishing is so effective because we are providing a link to a known legitimate site. Even if the victim is tech-savvy and checked the URL’s domain and maybe even the SSL certificate, the redirection will still lead to an unwanted location.

Implementation of the login method for user authentication.

Chaining Open Redirect Vulnerabilities

Along with phishing and social engineering implications, open redirect vulnerabilities may also be chained with other vulnerabilities to increase their impact. For example, an open redirect may allow an attacker to:

  • Bypass a domain-based server-side request whitelist to achieve full-blown server-side request forgery.
  • Redirect to a URL with the javascript: schema, resulting in XSS.
  • Steal secret tokens via the referrer header.

Open redirect mitigation

How do you mitigate open redirect?

There are several ways to fix this code so that the open redirect is no longer possible. We can find a way to validate the input in the parameter so that only legitimate locations are accepted, or we could remove the parameter altogether.

Remove the parameter

To remove the parameter completely and implement a fixed redirect, we’d edit our code to look like this:

This is the safest way to fix the open redirect but depending on how your application is set up, it could disrupt the flow of the application and impact the user’s experience. If the user was trying to access a different page, such as the contact details, the user would have to navigate from their profile to the contact details instead of the app redirecting them straight to the contact details.

Implement an “allow list”

If removing the parameter doesn’t work for your application flow, then we could alter the code to only allow redirects to pages from an “allow list”. All redirect_url parameters that are not equal to either the profile or contact details page will simply redirect the user to the home page after login.

Implement a fixed domain

Alternatively, if your application contains many potential legitimate pages to redirect to, we implement a fixed domain and simply append the redirected page.

Mobile users beware

Most mobile devices will only show the domain of the site you’re visiting and will exclude any parameters, including redirections. This makes it very tricky for mobile users to spot a malicious redirect.

Fun fact

Pro's can be caught out by open redirects

91% of all cyber attacks start with email! A lot of people are well educated now to recognize phishing emails but are rarely taught how to spot a malicious redirect. This is why open redirects are so valuable to attackers.

Key takeaways

  • Attackers actively abuse this vulnerability to evade email scanners and trick users into thinking they’re visiting legitimate domains.
  • There are several different ways to mitigate this vulnerability: using a white-list, implementing a fixed redirect, or a fixed domain.
  • Open redirects can be chained with other vulnerabilities to create a much higher impact attack chain.

Keep learning

Congratulations

You have taken your first step into learning what open redirection is, how it works, what the impacts are, and how to protect your own applications. We hope that you will apply this knowledge to make your applications safer. We'd really appreciate it if you could take a minute to rate how valuable this lesson was for you and provide feedback to help us improve! Also, make sure to check out our lessons on other common vulnerabilities.