What are arbitrary URL Redirect/Forward attacks?

‘Redirect’ or ‘routing’ is an application functionality whereby the source application redirects user’s access to another location or to some function within the application itself. A typical use case of such utilization is the authentication process, i.e., when user tries to access a restricted area belonging to the application, it will automatically redirect client to the application form.

In specific cases, this functionality may be used by an attacker to redirect a legitimate client to an arbitrary location, transferring, for example, the trust established by the user within the legitimate application to a site containing malware.

Redirect itself does not represent a direct security vulnerability, however, it can be exploited in phishing attacks (social engineering) making user believe that he/she is placed into a legitimate content-area and thus making him/her provide credentials or sensitive data in an arbitrary manner. The attack can also be used in an extensive way to artificially burst advertising systems and pay-per-click transactions.

Example:

A vulnerable site is routing user to a reliable location (login area):

http://www.vulneravel.com?redirect=http://www.vulneravel.com/login

By not correctly filtering the parameter type used in the redirect variable, the application then allows the building (by the attacker) of a link to redirect the legitimate client to an unreliable site:

http://www.vulneravel.com?redirect=http://hacker.com/login

Upon holding such link, the attacker just needs to convince the legitimate user to carry it into his/her browser or, even making use of optimization techniques for search engines (SEO) so that this link remains available in case an user performs a search through the legitimate site.

Starting from such headline, the attacker may as well use the same style on a false form to capture user’s (victim) access credentials and then have him/her redirected again to the legitimate application.

Is my application vulnerable to URL Redirect/Forward attacks?

By means of the above mentioned example, we infer that the best way to find out whether your application is vulnerable to such issue is to test all the redirections existing in the interaction with user.

To do so, browse throughout the application to check and sort out which pages do return redirection codes (generally, return codes 301 and 302) and then test the possibility of replacing valid parameters for external locations not related to your application.

For troubleshooting such issue it is suggested that your application keeps, if possible, a list of the permitted locations and that it makes reference to them by means of codes, thus avoiding to explicitly disclose the URL. Another form to deal with this problem is to use cryptography or hashing in the redirection parameters sent, thus making sure that destiny can only be built by means of a legitimate transaction occurred within the system.

What is the impact and main consequences of such attack?

Arbitrary URL Redirect/Forward attacks can exploit this vulnerability to convince user to install malware or programs that can capture passwords and other confidential information. In specific situations, they can also be used to skip access controls.

Scenarios:

The application has a page called ‘redir.jsp’ having a parameter called ‘url’. The attacker uses a malicious URL that redirects users to a malicious site (using phishing) and that can also install a malware (instala.exe).

http://www.exemplo.com/redir.jsp?url=atacante.com/instala.exe

In this other example, the application uses a parameter to indicate where user should be forwarded to, in case a transaction is well succeeded. The attacker can also change the type of location to obtain access to restricted areas.

Example:

• From:

http://www.exemplo.com/correct.jsp?fwd=success.jsp

• To:

http://www.exemplo.com/correct.jsp?fwd=admin.jsp

Attackers can also improve social engineering attack tactics by dimming the redirected URL using various techniques. For example, the URL below shows the same redirected URL but the ‘evil.com’ domain has been converted into its hexadecimal equivalent.

http://www.exemplo.com/redir.jsp?url=http://%76%69%6c%2e%63%6f%6d/evil_page.html

Correction of vulnerable codes

Avoiding arbitrary redirect/forward flaws is a key issue in the management of vulnerabilities and risks within any web applications – after all, they are one of the favorite targets chosen by defrauders for social engineering attacks. The main recommendations to mitigate such risks are:

• Try to avoid use of redirect/forward routines and, if such is not possible, try to do it by means of session variables without using HTTP parameters;
• Do not inform real URL on the parameter but opt to use a reference value which will be translated on the server’s side to the target URL;
• In case it is not possible to use the previous measures, opt to use cryptography or hashing for the transport parameters of URL’s value.

OWASP Top 10 (A10)

The arbitrary URL Redirect/Forward attack (Unvalidated Redirects and Forwards) is integrating part of the list of the 10 main vulnerabilities affecting web applications, in the OWASP.

To know more about it, please see the reference below:

https://www.owasp.org/index.php/Top_10_2010-A10

How N-Stalker can help you!

The N-Stalker Web Application Security Scanner 2012 can help your organization find Unvalidated Redirects and Forwards (A10) issues in an automatic way. N-Stalker Free Edition’s standard installation brings a big set of predefined policies which already detects this vulnerability.

Download free edition of N-Stalker 2012.