Open Rediction Bug
Open redirects are fun to find. Most Bug Bounty programs not pay more than $250 per each but still love finding them. I have found around 500 open redirects in my life. I don't look for them so much anymore, but still think is a must-look for a beginner or a person that want to earn a few easy dollars.
I would recommend looking for them, no permanentely, but still look at it if you find a missing url parameter in your target - you can also look for XSS in that situation!
Open redirect vulnerabilities, also known as unvalidated redirects and forwards, are a sneaky security flaw that can trick users into visiting malicious websites. Imagine a trusted friend giving you directions to a safe destination, but secretly leading you into a trap. That's the essence of an open redirect.
Understanding Open Redirects: The Basics
Open redirects occur when a web application takes a user-supplied input and uses it to redirect the user to another URL without proper validation or sanitization. This allows attackers to craft malicious links that appear to come from a trusted source, but actually lead to phishing sites, malware downloads, or other harmful destinations.
The Anatomy of an Open Redirect
**1. User Input:** The attacker provides a malicious URL as input to the web application. This could be through a parameter in a URL, a hidden form field, or even a cookie.
**2. Unvalidated Redirect:** The web application blindly redirects the user to the attacker-supplied URL without checking if it's legitimate.
**3. User Deception:** The user clicks on the malicious link, believing it to be safe because it appears to come from a trusted source.
**4. Malicious Action:** The user is redirected to the attacker's website, where they may be tricked into revealing sensitive information, downloading malware, or performing other harmful actions.
Types of Open Redirects
**○ Reflected Open Redirects:** The malicious URL is reflected back to the user in the HTTP response. This is often seen in error messages or other dynamic content.
**○ Stored Open Redirects:** The malicious URL is stored on the server and used to redirect users in the future. This can happen in user profiles, comments, or other stored data.
Impact of Open Redirects
Open redirects can be used to facilitate a variety of attacks, including:
**○ Phishing Attacks:** Attackers can create convincing phishing pages that appear to be from legitimate websites.
**○ Malware Distribution:** Attackers can trick users into downloading malware by disguising it as a legitimate download from a trusted site.
**○ Session Hijacking:** Attackers can steal a user's session cookie by redirecting them to a malicious website that captures the cookie.
**○ Denial of Service (DoS):** Attackers can redirect users to a website that is designed to overload the server and cause a DoS attack.
Identifying and Exploiting Open Redirects
**1. Manual Testing:**
○ Look for parameters in URLs, forms, or cookies that are used to redirect users.
○ Try injecting different URLs to see if the application redirects you to them.
○ Look for ways to bypass filters and WAFs (Web Application Firewalls).
**2. Automated Scanning:**
○ Use web vulnerability scanners like Burp Suite to automate the process of finding open redirects.
Example Payloads:
https://vulnerable-website.com/redirect?url=https://malicious-website.com
https://vulnerable-website.com/profile?redirect_uri=https://malicious-website.com
Mitigating Open Redirects
○ **Whitelist Valid URLs:** Only allow redirects to a pre-approved list of safe URLs.
○ **Validate User Input:** Sanitize and validate all user-supplied input that is used for redirects.
○ **Use Referrer Checks:** Verify that the referrer header matches the expected domain.
○ **Warn Users:** Display a warning message before redirecting users to external websites.
Happy hunting!
Author: Ayush khatkar is a cybersecurity researcher, technical writer and an enthusiastic pen-tester at Asecurity. Contact here.
#bugbounty #infosec #cybersecurity