05 Бер, 2024

DOM-based open redirection

DOM-based open redirection

DOM-based open redirection vulnerabilities occur when an application takes data from the DOM (Document Object Model) that the attacker can manipulate and uses this data to redirect the user to an arbitrary URL. This type of vulnerability is particularly concerning because it can lead to phishing attacks, theft of sensitive information, or spreading malware.

In a typical scenario, the application might use JavaScript to read the URL parameters and then redirect the user based on those parameters. An attacker can exploit this by crafting a malicious URL with a parameter that points to an external, malicious website. When an unsuspecting user clicks on this link, the JavaScript code executes and redirects them to the attacker-specified URL, bypassing any server-side checks on the redirect target.

Приклади експлуатації

For a deeper understanding of the vulnerability, consider the “DOM-based open redirection” lab assignment from PortSwigger. This lab contains a DOM-based open redirection vulnerability. To solve this lab, we need to exploit this vulnerability and redirect the victim to the exploit server.

Let’s start by learning about the web application.

This looks like some website with a blog, let’s go to one of the articles on that blog and look at the page code.

In the screenshot, you can see that there is a DOM manipulation using JavaScript inside the onclick event handler. The part of the code shown in the screenshot specifies JavaScript code that, extracts the url parameter from the current URL of the page(location.href) using a regular expression and then redirects the user to the extracted URL.

Specifically, the code uses the exec method of the regular expression to find a match in location.href. If a match is found, the code assigns location . href the value returnUrl[1], which represents the portion of the URL after url=. Since this code does not perform any validation or cleanup of returnUrl[1] before using it as a redirect target, this creates a vulnerability to DOM-based open redirection.

Knowing this information let’s create a payload, it will look like this &url=http://example.com. Let’s insert it into the url and send the request.

At first glance, nothing happens, but once we click on the “Back to Blog” button, we are taken to the “example.com” domain!

Great, now to complete the task, let’s insert a link to our exploit server in place of url example.com.

Scanners that detect vulnerabilities

  1. REDIRECT X: This scanner by Nova Security is capable of identifying and verifying server-side, DOM-based, and form-based open redirects. It includes advanced features like a Validator Engine to reduce false positives and can perform scans even on authenticated parts of a website.

  2. Invicti: Formerly known as Netsparker, Invicti can detect DOM-based open redirection vulnerabilities. It provides a severity rating for the vulnerabilities and offers remediation advice, such as using whitelists for dynamic URLs and only accepting URLs from trusted domains.

  3. Acunetix: With its DeepScan technology, Acunetix can trace the execution of script code to detect DOM-based XSS vulnerabilities, which are related to open redirection. It can monitor data flow from sources to sinks, where vulnerabilities like XSS and potentially open redirections can occur.

  4. VulnScanX: A command-line application that can test for various types of vulnerabilities including DOM-based XSS, SQL injection, remote code execution, and also includes open redirection testing.

  5. RapidScan: This is a multi-tool web vulnerability scanner that uses various tools under one umbrella to test for vulnerabilities, including open redirections. It provides detailed reports and remediation advice.

  6. afrog: A high-performance security tool suitable for bug bounty, Пентест, and red teaming, which includes vulnerability scanning capabilities with low false positives and customizable PoCs, potentially useful for detecting open redirections.

  7. Threat-Patrol: This is a Python script that can scan websites for a variety of potential vulnerabilities, including open redirection, and offers an easy-to-use command-line interface.

Average CVSS score for DOM-based open redirection

CVSS stands for Common Vulnerability Scoring System. It is a standardized framework that assesses the severity of computer system security vulnerabilities. CVSS scores range from 0 to 10, with higher values indicating greater severity. The score is based on several metrics that evaluate aspects like the complexity of the attack, the required privileges, the impact on confidentiality, integrity, and availability, and more.

In relation to DOM-based open redirection, these vulnerabilities have been reported with a medium severity level and can be associated with varying CVSS scores depending on the context and the specific vulnerability. One example given had a score of 6.1, which suggests a moderate level of risk. This score takes into account the potential for the vulnerability to be used in phishing attacks or other malicious actions that could significantly impact users and systems.

CVES related to DOM-based open redirection

CVE-2020-1323: This vulnerability was identified in Microsoft SharePoint and could lead to spoofing attacks where an attacker sends a specially crafted URL to convince the user to click on it, leading to an open redirect​​.

CVE-2020-4048: A vulnerability in WordPress, where wp_validate_redirect() and URL sanitization issues allowed an arbitrary external link to be crafted leading to an open redirect when clicked. This vulnerability was patched in WordPress version 5.4.2​​.

CVE-2022-23618: This issue was discovered in XWiki Platform, where the software did not have protection against URL redirection to untrusted sites. Parameters like xredirect could be used to perform URL redirections. It was patched in versions XWiki 12.10.7 and XWiki 13.3RC1​​.

CVE-2021-22098: A vulnerability in the UAA server versions prior to 75.4.0, where a malicious user could exploit an open redirect vulnerability by using social engineering techniques. This could potentially lead to account takeovers and redirection of users to malicious sites.

CVE-2021-22054: This vulnerability was found in FireEye’s HXTool version 4.6. It could allow an attacker to redirect a user to a malicious page by modifying the ‘redirect_uri’ parameter.

CVE-2021-22050: This is another open redirect vulnerability, which affects all versions of PowerCMS 3 Series and earlier. It allows a remote unauthenticated attacker to redirect users to arbitrary websites via a specially crafted URL.

To study DOM-based open redirection

Книги

"Керівництво хакера веб-додатків: пошук і використання недоліків безпеки" by Dafydd Stuttard and Marcus Pinto is a thorough guide to various web application vulnerabilities, including open redirection.

“OWASP Guide to Building Secure Web Applications and Web Services” is a book that includes chapters on redirect and forwarding, helping you to understand the safe ways to implement these features.

Онлайн-курси

Platforms like Coursera, Udemyі edX offer cybersecurity courses where you can learn about web vulnerabilities. Courses on these platforms are often created by university professors or industry professionals.

Cybrary provides free and paid cybersecurity courses, some of which cover web application security concepts, including open redirection vulnerabilities.

Hands-On Laboratories

PortSwigger offers a Web Security Academy with interactive labs where you can practice exploiting and defending against various web vulnerabilities.

Hack The Box and TryHackMe provide hands-on cybersecurity training through virtual labs and real-world scenarios, including web security practices.

Certification Programs

Certified Ethical Hacker (CEH) by EC-Council covers a broad range of hands-on training in offensive security, including web application attacks.

Offensive Security Certified Professional (OSCP) by Offensive Security is an advanced penetration testing certification focusing on practical, hands-on skills, including web application attacks.

Conferences and Workshops

Security conferences such as DEF CON, Black Hat, and OWASP’s Global AppSec events often have workshops and training sessions on web security.

Many regional OWASP chapter meetings offer free talks and workshops that can be very helpful for learners at all levels.

Interactive Platforms

OWASP’s Juice Shop is an intentionally insecure web application for practicing website security audits.

ПентестерЛаб is an online platform providing a set of exercises to learn about web security in a hands-on manner.

How do I protect against DOM-based open redirection?

  1. Ensure that all user-supplied input is validated against a strict set of rules (such as a regular expression) and sanitize input to remove or encode potentially dangerous characters. Do not allow URLs to be passed directly via URL parameters without validation.

  2. Where redirection is necessary, implement an allowlist (previously known as a whitelist) of trusted URLs to which redirection can occur. Any request for redirection should be checked against this list.

  3. If possible, avoid any feature that directly uses user input to redirect to a URL. Instead, use indirect methods such as referencing an ID mapped server-side to a trusted URL.

  4. When redirection is necessary, it’s more secure to handle it server-side rather than relying on client-side JavaScript.

  5. Use Content Security Policy (CSP) headers to restrict the URLs to which your application can navigate. This can prevent certain types of redirection attacks.

  6. Be careful when using JavaScript methods that can result in redirection or URL changes, such as window.location чи document.location. Ensure these do not use user-supplied data directly.

  7. Regularly test your applications for vulnerabilities with automated scanners and manual penetration testing to ensure defenses are working as intended.

  8. Make sure that the development team is aware of the risks associated with DOM-based open redirection and train them in secure coding practices.

  9. Keep abreast of the latest security advisories and patches for your development frameworks and libraries. Apply updates that address security issues promptly.

Висновок

DOM-based open redirection is a significant security flaw that occurs when a web application writes data to the Document Object Model without proper validation, allowing attackers to redirect users to malicious sites. This type of vulnerability is particularly dangerous because it can be exploited to conduct phishing attacks or spread malware by leveraging the trust associated with the vulnerable website.

The exploitation typically happens when an application uses JavaScript to read URL parameters and then redirects the user based on these parameters. Attackers craft malicious URLs with parameters pointing to an external site, and when an unsuspecting user clicks on such a link, the user is redirected to a site chosen by the attacker, bypassing any server-side checks on the redirect target.

To protect against these vulnerabilities, developers must adopt secure coding practices such as validating all user input, implementing allowlists for URL redirections, and handling redirects on the server side whenever possible. Utilizing Content Security Policy (CSP) headers can also help restrict the URLs to which the application can navigate.

For those seeking to understand and mitigate these vulnerabilities, there are numerous resources available, including books like “The Web Application Hacker’s Handbook,” online courses from platforms like Coursera and Udemy, hands-on laboratories from PortSwigger’s Web Security Academy, and certification programs like CEH and OSCP. Additionally, keeping up with security advisories, using vulnerability scanners, and regular security testing are crucial for maintaining the security posture against such vulnerabilities.

Інші Послуги

Готові до безпеки?

зв'язатися з нами