Unvalidated redirects and forwards

In most of the sites let it be Banking, E-commerce etc, redirection is bound to happen.Lets take an example of banking site.

  • Login page
  • Payment option –> payment gateway redirection
  • Payment gateway –> bank’s page (already logged in)
  • Banks page –> rewards page in case you redeem credit card rewards.(if you get)
  • Rewards page –> Bank’s page

What will happen if the attacker is able to redirect you to his own link instead of payment gateway?His own gateway looks exactly the same as an original gateway but installs a virus on your computer. The possibilities can go on and on..

DEMO

EXAMPLE 1

1re
The site ideally will take you to linked in page
2re
Request is intercepted and you can see the destination
3re
Changing it to attackers destination and BOOM.

EXAMPLE 2

4re
Want to go back to home page..?
5re
Here is the intercepted request

Changing the above to test.com will not help as the page is doing validation that the URL should not be external.But no checking for internal URLs.

6re
Takes you to the admin page instead

REMEDIATION

  • No redirection – if possible
  • Never determine the destination based on user input, if it is not possible to evade that,
    • verify the input
    • Check for authority to do that
    • Sanitize it
  • If u want to redirect the user to a page without the user’s interactions, hard code it, Encrypt it.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s