Unvalidated Redirection

What is an Unvalidated Redirection Attack?

Most web applications use redirects internally to route users within the application. In some cases, the target URL of the redirection is exposed and may be modified by the user, for instance as a query string parameter in the URL.

This may be exploited by attackers to trick users into providing sensitive information to the attacker through a phishing attack. The attacker lures the target onto a trusted URL that has an unvalidated redirection. The user is then redirected to another URL that is owned by the attacker and used to gather sensitive information. By mimicking the visual identity of the exploited application and possibly using a typosquatted, domain, the user is likely not to notice that they have in fact been redirected to an untrusted URL. The attacker uses this opportunity to gather passwords, credit card information or other sensitive data.

An Example of a Vulnerability

In this example, a web application has a section that is publicly available and another section that requires users to sign in. When an unauthenticated user visits a protected page, they are redirected to the sign in page.

In this case, the application wants to redirect users back to the protected page, once they’ve signed in.

For instance, if an unauthenticated user visits the following protected page:

https://trustedapp.com/protected-page

They will be redirected to:

https://trustedapp.com/login?back=https%3A%2F%2Ftrustedapp.com%2Fprotected-page

This page is part of a Ruby on Rails application and the controller’s code looks like this:

def login
  user = User.authenticate(params[:email], params[:password])

  if user
    redirect_to params[:back]
  else
    flash[:error] = "Invalid login"
  end
end

On successful sign in, this code will redirect the user to any URL that is entered in the back query string variable.

An attacker wants to steal credit card information from the users of trustedapp.com and has obtained a list of email addresses for some of its users.

The attacker sends an email asking users to verify their credit card details for trustedapp.com. The email contains a link to:

https://trustedapp.com/login?back=https%3A%2F%2Ftrustedapp.co%2Fupdate-credit-card

The attacker has gathered ownership of trustedapp.co, so once the user has signed in and is looking to update their credit card, they will be redirected to the attacker’s page:

https://trustedapp.co/update-credit-card

This page contains a credit card form that steals the data instead of saving it into the systems of trustedapp.com. Because the user went through the familiar steps of signing in and ended up on a page with the same visual characteristics and an almost identical domain name, they never noticed that they were in fact entering information on the attacker’s page.

How To Defend Unvalidated Redirection Attacks

Avoiding unvalidated redirects is simple and there are many ways to accomplish this. These are a few examples:

• Store redirection URL’s in a place that cannot be modified by the user, such as a session on the server
• Remove the hostname from the redirection URL, so that it may only redirect to a different path on the same domain as the application
• Validate the URL according to a list of approved domain names
• Force all redirects to go through a page notifying users that they are leaving the application, and have them click a link to confirm

More useful information may be found at:

• https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
• https://webmasters.googleblog.com/2009/01/open-redirect-urls-is-your-site-being.html