Most web applications use redirects internally to route users within the application. In some cases, the target URL of the redirection is exposed and may be modified by the user, for instance as a query string parameter in the URL.
This may be exploited by attackers to trick users into providing sensitive information to the attacker through a phishing attack. The attacker lures the target onto a trusted URL that has an unvalidated redirection. The user is then redirected to another URL that is owned by the attacker and used to gather sensitive information. By mimicking the visual identity of the exploited application and possibly using a typosquatted, domain, the user is likely not to notice that they have in fact been redirected to an untrusted URL. The attacker uses this opportunity to gather passwords, credit card information or other sensitive data.
In this example, a web application has a section that is publicly available and another section that requires users to sign in. When an unauthenticated user visits a protected page, they are redirected to the sign in page.
In this case, the application wants to redirect users back to the protected page, once they’ve signed in.
For instance, if an unauthenticated user visits the following protected page:
They will be redirected to:
This page is part of a Ruby on Rails application and the controller’s code looks like this:
def login user = User.authenticate(params[:email], params[:password]) if user redirect_to params[:back] else flash[:error] = "Invalid login" end end
On successful sign in, this code will redirect the user to any URL that
is entered in the
back query string variable.
An attacker wants to steal credit card information from the users of
trustedapp.com and has obtained a list of email addresses for some of its
The attacker sends an email asking users to verify their credit card
trustedapp.com. The email contains a link to:
The attacker has gathered ownership of
trustedapp.co, so once the user
has signed in and is looking to update their credit card, they will be redirected
to the attacker’s page:
This page contains a credit card form that steals the data instead of saving
it into the systems of
trustedapp.com. Because the user went through the
familiar steps of signing in and ended up on a page with the same visual
characteristics and an almost identical domain name, they never noticed that
they were in fact entering information on the attacker’s page.
Avoiding unvalidated redirects is simple and there are many ways to accomplish this. These are a few examples:
More useful information may be found at:
We provide code security reviews as a service. Based on our extensive experience in the field of sofware engineering and IT security, we know how to efficiently review entire code bases and identify security critical parts of the software.
This enables us to provide our security code review service at a fixed rate per review, providing our customers a transparent, efficient and reliable process.
Fixed Price per Review
Our code security review service is in popular demand.
Next spots are available in July 2019.