20 Feb, 2023

Redirection to Malicious Site

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

Redirection to Malicious Site refers to a technique used by attackers to redirect users from a legitimate website to a malicious website without the user’s knowledge or consent. This technique can be accomplished by exploiting vulnerabilities in a website’s code or by tricking users into clicking on a link that takes them to a malicious site.

The purpose of this technique is often to steal sensitive information, such as login credentials, credit card information, or personal data, from unsuspecting users. The malicious site may also be used to download malware onto the user’s device, which can be used to steal additional information or to gain control of the device.

Example of vulnerable code on different programming languages:


in PHP:

A vulnerable code example that can lead to redirection to a malicious site is the use of the header() function without proper validation. For example:

				
					<?php
header("Location: " . $_GET['url']);
?>
				
			


This code snippet redirects the user to the URL provided as a GET parameter. However, if the attacker can manipulate the URL parameter to include a malicious site, the user will be redirected to that site.

• in JavaScript:

A vulnerable code example that can lead to redirection to a malicious site is the use of the window.location object without proper validation. For example:

				
					var redirectUrl = window.location.hash.substring(1);
window.location = redirectUrl;
				
			


This code snippet redirects the user to the URL specified in the hash fragment of the URL. However, if the attacker can manipulate the hash fragment to include a malicious site, the user will be redirected to that site.

• in Ruby on Rails:

A vulnerable code example that can lead to redirection to a malicious site is the use of the redirect_to function without proper validation. For example:

				
					def redirect
  redirect_to(params[:url])
end
				
			


This code snippet redirects the user to the URL provided as a parameter. However, if the attacker can manipulate the parameter to include a malicious site, the user will be redirected to that site.

Examples of exploitation Redirection to Malicious Site

Cross-Site Scripting (XSS):

In an XSS attack, the attacker injects malicious code into a website that is then executed by the user’s browser. The code can be used to redirect the user to a malicious site, among other things. For example, the attacker might inject a script that redirects the user to a phishing site when they click a button or submit a form on the legitimate site.

SQL Injection:

In an SQL injection attack, the attacker injects malicious code into a website’s database that is then executed by the website’s server. This code can be used to redirect the user to a malicious site, among other things. For example, the attacker might inject SQL code that alters the website’s code to include a redirect to a phishing site.

Malicious ads:

Attackers may also use malicious advertisements to redirect users to a malicious site. They might purchase ad space on a legitimate website and use the ad to redirect users to a phishing site or to download malware onto their device.

URL manipulation:

Attackers can also manipulate the URL of a legitimate website to redirect users to a malicious site. For example, they might send a phishing email with a link that looks like it goes to a legitimate website, but actually includes a redirect to a malicious site.

Privilege escalation techniques for Redirection to Malicious Site

Exploiting software vulnerabilities:

Attackers can exploit vulnerabilities in software running on a system to gain elevated privileges. For example, they might exploit a vulnerability in a web server to gain administrative access to the server and modify the website code to include a redirect to a malicious site.

Exploiting misconfigured permissions:

Attackers can also exploit misconfigured permissions on a system to gain elevated privileges. For example, they might exploit a misconfigured file permission on a web server to gain access to sensitive configuration files, which they can then use to modify the website code to include a redirect to a malicious site.

Social engineering:

Attackers can use social engineering techniques to trick a user with elevated privileges into providing them with access. For example, they might call an employee at a company and impersonate an IT support technician, convincing the employee to provide them with remote access to the company’s systems.

Credential theft:

Attackers can steal credentials, such as usernames and passwords, to gain elevated privileges on a system. For example, they might use a phishing email to trick a user into entering their login credentials, which the attacker can then use to gain access to the system and modify the website code to include a redirect to a malicious site.

General methodology and checklist for Redirection to Malicious Site

Methodology:

  1. Reconnaissance: Gather information about the website, including its purpose, technology stack, and potential vulnerabilities. This can be done using open-source intelligence gathering techniques, such as analyzing the website’s HTML code and conducting network scans.

  2. Vulnerability scanning: Use vulnerability scanning tools, such as web application scanners, to identify potential vulnerabilities in the website. These vulnerabilities can include XSS, SQL injection, and other types of injection attacks.

  3. Exploitation: Attempt to exploit any vulnerabilities that were identified in the previous step to redirect the user to a malicious site. This can be done using tools such as Metasploit, Burp Suite, or OWASP ZAP.

  4. Social engineering: Attempt to trick users into clicking on links or submitting information that can be used to redirect them to a malicious site. This can be done using phishing emails, social media posts, or other similar techniques.

  5. Detection and prevention: Test the website’s detection and prevention mechanisms to determine if they are effective at detecting and mitigating redirection to malicious sites. This can involve testing the website’s firewall, intrusion detection systems, and other security controls.

  6. Reporting: Document any vulnerabilities and their potential impact, along with recommended mitigations. This report can then be used to help website owners and administrators fix the vulnerabilities and prevent redirection to malicious sites.

Checklist:

  1. Identify the scope of the testing: Determine which pages or sections of the website will be tested for redirection to a malicious site.

  2. Gather information: Collect information about the website, such as its purpose, technology stack, and potential vulnerabilities.

  3. Review website code: Review the website’s HTML, CSS, and JavaScript code to identify potential vulnerabilities that could be exploited for redirection.

  4. Test for input validation: Test user input fields, such as login forms and search boxes, to ensure they are properly validated and cannot be exploited for redirection.

  5. Test for cross-site scripting (XSS) vulnerabilities: Test for XSS vulnerabilities, which can allow an attacker to inject malicious code that redirects users to a malicious site.

  6. Test for SQL injection vulnerabilities: Test for SQL injection vulnerabilities, which can allow an attacker to execute malicious SQL queries that redirect users to a malicious site.

  7. Test for open redirects: Test for open redirects, which can be used to redirect users to a malicious site by exploiting a vulnerability in the website’s redirection mechanism.

  8. Test for session hijacking: Test for session hijacking vulnerabilities, which can allow an attacker to steal a user’s session and redirect them to a malicious site.

  9. Test for social engineering attacks: Test for social engineering attacks, such as phishing emails and fake login pages, that can be used to trick users into visiting a malicious site.

  10. Test for anti-malware protection: Test the website’s anti-malware protection mechanisms to ensure they are effective at detecting and preventing redirection to malicious sites.

  11. Document findings: Document any vulnerabilities that were identified, along with recommended mitigation strategies, and provide a report to website owners or administrators.

Tools set for exploiting Redirection to Malicious Site

Manual Tools:

  1. Burp Suite: is a popular web application security testing tool that can be used to test for redirection to malicious sites. It includes a proxy, scanner, and other tools to help identify vulnerabilities.

  2. OWASP ZAP: is an open-source web application security testing tool that can be used to test for redirection to malicious sites. It includes features such as a scanner, proxy, and Fuzzer to help identify vulnerabilities.

  3. Metasploit: is a penetration testing framework that includes tools for testing various types of vulnerabilities, including those related to redirection to malicious sites.

  4. Kali Linux: is a popular Linux-based operating system that includes a range of tools for web application security testing, including tools for testing for redirection to malicious sites.

  5. Nmap: is a network exploration and security auditing tool that can be used to identify open ports and services, as well as potential vulnerabilities that can be exploited for redirection.

  6. Wfuzz: is a web application security testing tool that includes a range of fuzzing techniques to identify potential vulnerabilities that can be exploited for redirection.

  7. SQLMap: is a popular tool for identifying and exploiting SQL injection vulnerabilities, which can be used to redirect users to a malicious site.

  8. Social-Engineer Toolkit: SET is a tool that can be used to conduct social engineering attacks, such as phishing emails or fake login pages, that can be used to redirect users to a malicious site.

  9. BeEF: is a browser exploitation framework that can be used to test for vulnerabilities in the browser that can be exploited for redirection to a malicious site.

Automated Tools:

  1. Nikto: is an open-source web server scanner that can be used to test for redirection to malicious sites, as well as other vulnerabilities such as outdated software.

  2. Vega: is a web application scanner that includes a range of testing tools, including those for testing for redirection to malicious sites.

  3. Acunetix: is a web application scanner that includes features such as a scanner, proxy, and Fuzzer to help identify vulnerabilities related to redirection.

  4. Netsparker: is an automated web application scanner that includes features for identifying vulnerabilities related to redirection to a malicious site.

  5. Qualys Web Application Scanning:  is a cloud-based web application scanner that can be used to identify a range of vulnerabilities, including those related to redirection.

  6. IBM AppScan: is an automated web application scanner that includes a range of testing tools to identify vulnerabilities related to redirection.

  7. HP WebInspect: is an automated web application scanner that includes a range of testing tools to identify vulnerabilities related to redirection.

  8. Nessus: is a vulnerability scanner that can be used to test for a range of vulnerabilities, including those related to redirection to a malicious site.

  9. OpenVAS: is an open-source vulnerability scanner that can be used to test for a range of vulnerabilities, including those related to redirection to a malicious site.

Browser Plugins:

  1. Tamper Data: is a Firefox plugin that can be used to view and modify HTTP/HTTPS headers and post parameters, which can be used to test for redirection to a malicious site.

  2. HackBar: is a Firefox plugin that includes a range of tools for testing web application security, including those for testing for redirection to a malicious site.

Average CVSS score of stack Redirection to Malicious Site

The Common Vulnerability Scoring System (CVSS) is a standard method used to assess the severity of security vulnerabilities, including those related to redirection to malicious sites. The CVSS score is calculated based on various factors such as the impact, exploitability, and complexity of the vulnerability.

The average CVSS score for vulnerabilities related to redirection to malicious sites can vary widely depending on the specific vulnerability and the context in which it occurs. Generally speaking, vulnerabilities that allow for easy and direct redirection to a malicious site, such as those that exploit weaknesses in URL validation or open redirection flaws, tend to have lower CVSS scores, often in the range of 4.0 to 6.0.

However, vulnerabilities that allow for more complex and indirect redirection to a malicious site, such as those that rely on phishing attacks or social engineering, may have higher CVSS scores, often in the range of 7.0 to 9.0 or higher.

The Common Weakness Enumeration (CWE)

CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’) This weakness occurs when a web application allows untrusted input to be used as the destination of a redirect, without proper validation or sanitization. Attackers can use this weakness to trick users into visiting malicious sites, by sending them a link that appears to lead to a trusted site, but actually redirects them to a malicious site.

CWE-602: Client-Side Enforcement of Server-Side Security This weakness occurs when a web application relies on client-side code (such as JavaScript) to enforce security policies that should be implemented on the server-side. Attackers can exploit this weakness by bypassing the client-side security checks and accessing resources or functionality that should be protected by the server.

CWE-611: Improper Restriction of XML External Entity Reference This weakness occurs when a web application processes XML input that contains external entities, without proper validation or sanitization. Attackers can use this weakness to read sensitive data from the server or perform other malicious actions.

CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute This weakness occurs when a web application uses cookies to store sensitive information (such as session tokens), but does not mark those cookies as “secure”, which means they can be transmitted over unencrypted HTTP connections. Attackers can intercept the cookies and use them to hijack user sessions or access sensitive information.

CWE-639: Authorization Bypass Through User-Controlled Key This weakness occurs when a web application uses a user-controlled key (such as a parameter in a URL or form data) to authorize access to a resource or functionality, without proper validation or sanitization. Attackers can exploit this weakness by guessing or manipulating the key value to gain unauthorized access.

CWE-707: Improper Neutralization of Redirects in Web Application This weakness occurs when a web application fails to properly neutralize user input that is used in a redirect, allowing attackers to craft malicious URLs that redirect users to malicious sites.

CWE-843: Access of Resource Using Incompatible Type (‘Type Confusion’) This weakness occurs when a web application allows user input to be interpreted as a different type of data than intended, which can lead to unexpected behavior or security issues. Attackers can exploit this weakness to bypass security controls and access unauthorized resources or functionality.

CWE-862: Missing Authorization This weakness occurs when a web application fails to properly authorize user access to resources or functionality. Attackers can exploit this weakness to gain unauthorized access to sensitive information or perform unauthorized actions.

CWE-907: Improper Access Control (Authorization) This weakness occurs when a web application allows users to access resources or functionality that they should not be able to access, due to improper implementation of access controls. Attackers can exploit this weakness to gain unauthorized access to sensitive information or perform unauthorized actions.

CWE-918: Server-Side Request Forgery (SSRF) This weakness occurs when a web application processes user input that specifies a URL to be fetched or loaded by the server, without proper validation or sanitization. Attackers can use this weakness to perform various malicious actions, such as reading sensitive data from the server or executing arbitrary code.

Top 10 CVES related to Redirection to Malicious Site

• CVE-2022-44488 – Adobe Experience Manager version 6.5.14 (and earlier) is affected by a URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability. A low-privilege authenticated attacker could leverage this vulnerability to redirect users to malicious websites. Exploitation of this issue requires user interaction.

• CVE-2022-31151 – Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. `maxRedirections: 0` (the default).

• CVE-2022-23367 – Fulusso v1.1 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability in /BindAccount/SuccessTips.js. This vulnerability allows attackers to inject malicious code into a victim user’s device via open redirection.

• CVE-2021-3294 – CASAP Automated Enrollment System 1.0 is affected by cross-site scripting (XSS) in users.php. An attacker can steal a cookie to perform user redirection to a malicious website.

• CVE-2021-22676 – UserExcelOut.asp within WebAccess/SCADA is vulnerable to cross-site scripting (XSS), which could allow an attacker to send malicious JavaScript code. This could result in hijacking of cookie/session tokens, redirection to a malicious webpage, and unintended browser action on the WebAccess/SCADA (WebAccess/SCADA versions prior to 8.4.5, WebAccess/SCADA versions prior to 9.0.1).

• CVE-2021-1500 – A vulnerability in the web-based management interface of Cisco Webex Video Mesh could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. This vulnerability is due to improper input validation of the URL parameters in an HTTP request. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to redirect a user to a malicious website. Attackers may use this type of vulnerability, known as an open redirect attack, as part of a phishing attack to persuade users to unknowingly visit malicious sites.

• CVE-2020-7520 – A CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability exists in Schneider Electric Software Update (SESU), V2.4.0 and prior, which could cause execution of malicious code on the victim’s machine. In order to exploit this vulnerability, an attacker requires privileged access on the engineering workstation to modify a Windows registry key which would divert all traffic updates to go through a server in the attacker’s possession. A man-in-the-middle attack is then used to complete the exploit.

• CVE-2020-6266 – SAP Fiori for SAP S/4HANA, versions – 100, 200, 300, 400, allows an attacker to redirect users to a malicious site due to insufficient URL validation, leading to URL Redirection.

• CVE-2020-6215 – SAP NetWeaver AS ABAP Business Server Pages Test Application IT00, versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, allows an attacker to redirect users to a malicious site due to insufficient URL validation and steal credentials of the victim, leading to URL Redirection vulnerability.

• CVE-2020-6211 – SAP Business Objects Business Intelligence Platform (AdminTools), versions 4.1, 4.2, allows an attacker to redirect users to a malicious site due to insufficient URL validation and steal credentials of the victim, leading to URL Redirection vulnerability.

Redirection to Malicious Site exploits

  • Phishing attacks – Attackers can send phishing emails that contain links to fake login pages, which are designed to steal the user’s login credentials. The links may use open redirection vulnerabilities to redirect the user to a fake site that looks like a legitimate site, such as a bank or social media site.

  • Malvertising – Attackers can create malicious ads that contain links to fake sites or malware downloads. These ads may be displayed on legitimate websites that have been compromised, using techniques such as cross-site scripting (XSS) or SQL injection.

  • Cross-Site Scripting (XSS) – Attackers can use XSS to inject scripts into a web page, which can then redirect the user to a malicious site or perform other malicious actions, such as stealing user data or installing malware.

  • Session fixation – Attackers can use session fixation attacks to hijack user sessions by forcing the user to use a specific session ID that the attacker knows. The attacker can then use the session to perform actions on behalf of the user, such as making unauthorized purchases or stealing sensitive data.

  • Clickjacking – Attackers can use clickjacking attacks to trick users into clicking on a button or link that they did not intend to click on. The button or link may be hidden behind another element on the page, or may be transparent. The attacker can use this technique to redirect the user to a malicious site or perform other malicious actions.

  • URL parameter tampering – Attackers can tamper with URL parameters to bypass authentication or authorization checks, or to access sensitive information or functionality that should be protected. The attacker can also use this technique to redirect the user to a malicious site or perform other malicious actions.

  • Server-side request forgery (SSRF) – Attackers can use SSRF attacks to trick a server into making a request to a URL that the attacker controls, which can then be used to steal sensitive data, execute arbitrary code, or redirect the user to a malicious site.

Practicing in test for Redirection to Malicious Site

Understand the application: Start by understanding the application and its features. Look for areas where user input is accepted and processed, such as forms, query parameters, and cookies.

Identify potential vulnerabilities: Use tools such as vulnerability scanners, web proxies, and browser plugins to identify potential vulnerabilities related to redirection to malicious sites. Look for open redirect vulnerabilities, URL parameter tampering, and other common attack scenarios.

Test for common attacks: Test for common attacks such as phishing, malvertising, XSS, session fixation, clickjacking, and SSRF. Use manual testing techniques such as crafting custom requests and manipulating URL parameters to test for these attacks.

Test for authorization issues: Test for authorization issues that could allow an attacker to bypass access controls and gain unauthorized access to sensitive functionality. Look for issues such as user-controlled keys, missing authorization, and improper access control.

Check for secure coding practices: Check for secure coding practices such as input validation, output encoding, and secure session management. Look for issues such as improper validation of XML external entities and sensitive cookies that are not marked as secure.

Report and verify findings: Report your findings to the appropriate parties, such as the application owner or development team. Verify that the issues have been fixed before closing the report.

Keep up-to-date: Stay up-to-date on the latest attack techniques and vulnerabilities related to redirection to malicious sites. This will help you stay ahead of attackers and keep your testing skills sharp.

For study Redirection to Malicious Site

  1. OWASP: The Open Web Application Security Project (OWASP) is a nonprofit organization that provides free resources and tools for web application security. The OWASP Top 10 list includes “Open Redirect” as a common vulnerability. You can also find in-depth guides, training materials, and other resources related to redirection to malicious sites on the OWASP website.

  2. CVE: The Common Vulnerabilities and Exposures (CVE) database is a publicly accessible list of known cybersecurity vulnerabilities. You can search for CVEs related to redirection to malicious sites and learn about specific exploits and their impact.

  3. ExploitDB: The Exploit Database is a public archive of exploits and vulnerability data. You can search for exploits related to redirection to malicious sites and learn about their code and methodology.

  4. Online courses: There are many online courses that cover web application security and related topics. Some popular options include Udemy’s “Web Application Penetration Testing: Beginner to Ninja,” SANS Institute’s “SEC542: Web App Penetration Testing and Ethical Hacking,” and Pluralsight’s “Web Application Penetration Testing.”

  5. Books: There are many books that cover web application security, including topics related to redirection to malicious sites. Some popular options include “The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws” by Dafydd Stuttard and Marcus Pinto, “The Tangled Web: A Guide to Securing Modern Web Applications” by Michal Zalewski, and “The Art of Exploitation” by Jon Erickson.

Books with review of Redirection to Malicious Site

“The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws” by Dafydd Stuttard and Marcus Pinto: This book is a comprehensive guide to web application security, including techniques for identifying and exploiting vulnerabilities like open redirects.

“Black Hat Python: Python Programming for Hackers and Pentesters” by Justin Seitz: This book focuses on using the Python programming language for hacking and penetration testing, including techniques for exploiting web application vulnerabilities like open redirects.

“The Browser Hacker’s Handbook” by Wade Alcorn, Christian Frichot, and Michele Orru: This book covers browser security, including topics like cross-site scripting, cross-site request forgery, and open redirect vulnerabilities.

“The Tangled Web: A Guide to Securing Modern Web Applications” by Michal Zalewski: This book covers a wide range of web application security topics, including those related to redirection to malicious sites.

“Hacking Web Applications: The Art of Hacking Series” by Dafydd Stuttard and Marcus Pinto: This book provides an overview of web application security, including detailed coverage of common vulnerabilities like open redirects.

“Breaking into Information Security: Learning the Ropes 101” by Josh More, Anthony Stieber, and Chris Liu: This book is a comprehensive guide to getting started in the field of information security, including practical advice and examples related to web application security.

“Web Application Security: A Beginner’s Guide” by Bryan Sullivan and Vincent Liu: This book is an introduction to web application security, covering topics like the OWASP Top 10, including open redirects.

“Ethical Hacking and Penetration Testing Guide” by Rafay Baloch: This book covers the basics of ethical hacking and penetration testing, including web application security topics like open redirects.

“Web Penetration Testing with Kali Linux” by Juned Ahmed Ansari: This book focuses on using the Kali Linux operating system and associated tools for web application penetration testing, including techniques for exploiting vulnerabilities like open redirects.

“The Art of Exploitation” by Jon Erickson: This book is a comprehensive guide to computer hacking, including topics related to web application security and exploitation of open redirect vulnerabilities.

How to be protected from Redirection to Malicious Site

  1. Be cautious of links from unknown or suspicious sources: Do not click on links in emails or messages from unknown or suspicious sources, or links that seem too good to be true.

  2. Check the URL before clicking: Check the URL in the address bar of your web browser to ensure that it matches the website you intended to visit.

  3. Use a web application firewall: A WAF can detect and block malicious traffic, including redirection attempts.

  4. Keep your software up-to-date: Keep your operating system, web browser, and other software up-to-date with the latest security patches.

  5. Use security software: Use security software such as antivirus and anti-malware software to detect and block malicious websites and links.

  6. Disable automatic redirects: Disable the automatic redirect feature in your web browser to prevent being automatically directed to a malicious site.

  7. Be wary of shortened URLs: Be cautious of shortened URLs, which can be used to hide the true destination of a link.

  8. Use a browser extension: Use a browser extension that can help detect and block malicious links, such as NoScript or uBlock Origin.

  9. Educate yourself: Stay informed about the latest threats and attack techniques, and educate yourself on how to stay safe online.

Mitigations for Redirection to Malicious Site

  1. Use HTTP-only cookies to prevent cross-site scripting (XSS) attacks that can be used to steal user cookies and redirect users to malicious sites.

  2. Use anti-clickjacking measures to prevent users from unknowingly clicking on hidden or disguised links that redirect to malicious sites.

  3. Implement a CSP to prevent the execution of malicious scripts and prevent data exfiltration.

  4. Use link validation techniques to validate the destination of links and prevent users from clicking on links that redirect to malicious sites.

  5. Use proper input validation techniques to prevent attackers from injecting malicious scripts or URLs into input fields.

  6. Use secure coding practices to prevent vulnerabilities in the code that can be exploited to redirect users to malicious sites.

  7. Use WAFs to detect and block malicious traffic, including redirection attempts.

  8. Implement 2FA to prevent unauthorized access to user accounts even if attackers manage to steal or spoof user credentials.

  9. Educate users on the risks of redirection to malicious sites and how to identify and avoid these risks

Conclusion

Redirection to malicious sites is a common attack vector used by cybercriminals to trick users into visiting websites that are designed to steal sensitive information, spread malware, or carry out other malicious activities. These attacks can take many forms, including phishing emails, malicious links in ads, and compromised websites.

To protect against redirection to malicious sites, it’s important to stay vigilant and be cautious of links from unknown or suspicious sources, check the URL before clicking, use security software, and keep your software up-to-date with the latest security patches. It’s also important to use mitigation techniques such as HTTP-only cookies, anti-clickjacking measures, content security policy, and link validation to prevent redirection to malicious sites.

Other Services

Ready to secure?

Let's get in touch