28 Feb, 2023

Unvalidated Redirects and Forwards

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

Unvalidated Redirects and Forwards refer to a security vulnerability that occurs when an application or website allows a user to redirect to another page or website without validating the URL. This vulnerability can be exploited by attackers to redirect users to malicious websites, steal sensitive information, or perform other malicious activities. Unvalidated redirects and forwards can be prevented by validating the destination URL and implementing proper input validation and encoding techniques in the application or website.

Example of vulnerable code on different programming languages:


in PHP:

				
					<?php
// Vulnerable code
$redirect_url = $_GET['redirect'];
header('Location: ' . $redirect_url);
?>

				
			


In this example, the code takes a redirect URL from the query string without validating it. An attacker can manipulate the URL to redirect users to a malicious website.

• in Java:

				
					// Vulnerable code
String redirectURL = request.getParameter("redirectURL");
response.sendRedirect(redirectURL);

				
			


In this Java example, the code takes a redirect URL from a parameter without validating it. An attacker can manipulate the URL to redirect users to a malicious website.

• in Python:

				
					# Vulnerable code
redirect_url = request.GET.get('redirect')
return redirect(redirect_url)

				
			


In this Python example, the code takes a redirect URL from the query string without validating it. An attacker can manipulate the URL to redirect users to a malicious website.

Examples of exploitation Unvalidated Redirects and Forwards

Phishing Attack

An attacker can craft a URL that looks legitimate and send it to a victim, enticing them to click on the link. The URL can redirect the victim to a malicious website that looks like a legitimate one, such as a banking or email login page. The attacker can then capture the victim’s login credentials and use them for fraudulent activities.

Malware Infection

An attacker can use an Unvalidated Redirect to download malware onto the victim’s computer. The attacker can redirect the victim to a website that contains malicious code, such as a drive-by download attack. The victim’s computer can be infected with malware that can steal sensitive information, log keystrokes, or take control of the victim’s machine.

SEO Spam

Attackers can use Unvalidated Redirects to improve their website’s search engine optimization (SEO) ranking. They can redirect visitors from a legitimate website to a spammy website, which can increase the spam website’s traffic and improve its SEO ranking. This tactic is known as SEO spam.

Privilege escalation techniques for Unvalidated Redirects and Forwards

Cross-Site Request Forgery (CSRF)

An attacker can use an Unvalidated Redirect to launch a CSRF attack, which is an attack that tricks a user into executing unintended actions on a web application. The attacker can craft a malicious URL that, when clicked, will perform an action on a website that the victim is currently authenticated to. This attack can be used to change the victim’s password, transfer funds, or perform other malicious actions.

Session Hijacking

An attacker can use an Unvalidated Redirect to steal a victim’s session ID and gain access to the victim’s session. The attacker can craft a malicious URL that, when clicked, will redirect the victim to a website under the attacker’s control. The website can then steal the victim’s session ID and use it to hijack the victim’s session on the original website.

Reflected Cross-Site Scripting (XSS)

An attacker can use an Unvalidated Redirect to perform a Reflected Cross-Site Scripting (XSS) attack, which is an attack that injects malicious code into a website. The attacker can craft a malicious URL that, when clicked, will redirect the victim to a website that contains the attacker’s malicious code. The code can then execute in the victim’s browser and steal sensitive information, such as login credentials.

General methodology and checklist for Unvalidated Redirects and Forwards

Methodology:

  1. Identify input points that could lead to Unvalidated Redirects and Forwards: Look for user inputs, such as query strings, form data, and cookies that can be used to redirect users to other websites or pages.

  2. Identify the vulnerable code that processes the input: Review the code that processes the input points and identify any code that redirects users without properly validating the input.

  3. Test for Unvalidated Redirects and Forwards: Test the input points by injecting different URLs to see if the application redirects to the expected URL. Test for different types of injections, such as injecting a complete URL, injecting a relative URL, and injecting JavaScript code.

  4. Validate input: If the input is not validated, try injecting a malformed URL to see if the application can be exploited. For example, try injecting a URL that contains a null byte or other special characters.

  5. Verify the vulnerability: Once you have identified a potential vulnerability, verify it by redirecting to a different website or executing malicious code.

  6. Report the vulnerability: Report the vulnerability to the developers and provide steps to reproduce the issue. Make sure to include details on the impact of the vulnerability and potential attack scenarios.

  7. Verify the fix: Once the vulnerability has been fixed, verify that the application no longer allows Unvalidated Redirects and Forwards. Repeat the testing to ensure that the fix is effective.

Checklist:

  1. Look for user inputs, such as query strings, form data, and cookies that can be used to redirect users to other websites or pages.

  2. Review the code that processes the input points and identify any code that redirects users without properly validating the input.

  3. Test the input points by injecting different URLs to see if the application redirects to the expected URL. Test for different types of injections, such as injecting a complete URL, injecting a relative URL, and injecting JavaScript code.

  4. Ensure that all input is validated properly. Verify that the application only redirects users to trusted domains and that it properly sanitizes user input to prevent malicious URLs from being processed.

  5. Try injecting a malformed URL to see if the application can be exploited. For example, try injecting a URL that contains a null byte or other special characters.

  6. Once you have identified a potential vulnerability, verify it by redirecting to a different website or executing malicious code.

  7. Report the vulnerability to the developers and provide steps to reproduce the issue. Make sure to include details on the impact of the vulnerability and potential attack scenarios.

  8. Once the vulnerability has been fixed, verify that the application no longer allows Unvalidated Redirects and Forwards. Repeat the testing to ensure that the fix is effective.

  9. Consider using automated tools to scan for Unvalidated Redirects and Forwards vulnerabilities. Some popular tools include OWASP ZAP, Burp Suite, and Nmap.

Tools set for exploiting Unvalidated Redirects and Forwards

Manual Tools:

  • Tamper Data: A Firefox add-on that allows you to intercept and modify HTTP/HTTPS requests before they are sent to the server.

  • Burp Suite: A popular web application security testing tool that includes a proxy, scanner, and various other tools for testing web applications. It can be used to intercept and modify HTTP/HTTPS requests and responses.

  • OWASP ZAP (Zed Attack Proxy): A free, open-source web application security testing tool that includes a proxy, scanner, and various other tools for testing web applications. It can be used to intercept and modify HTTP/HTTPS requests and responses.

  • Fiddler: A free web debugging proxy tool that can be used to intercept and modify HTTP/HTTPS requests and responses.

  • Charles Proxy: A web debugging proxy tool that can be used to intercept and modify HTTP/HTTPS requests and responses. It also includes various other features, such as SSL proxying and bandwidth throttling.

  • Tamper Chrome: A Chrome extension that allows you to intercept and modify HTTP/HTTPS requests before they are sent to the server.

  • Firefox HackBar: A Firefox add-on that allows you to easily test for Unvalidated Redirects and Forwards by modifying the URL parameters.

  • LiveHTTPHeaders: A Firefox add-on that allows you to view and modify HTTP/HTTPS headers.

Automated Tools:

  • Nikto: A free and open-source web server scanner that can be used to identify common vulnerabilities, including Unvalidated Redirects and Forwards.

  • Nessus: A popular vulnerability scanner that can be used to identify common vulnerabilities, including Unvalidated Redirects and Forwards.

  • OpenVAS: An open-source vulnerability scanner that can be used to identify common vulnerabilities, including Unvalidated Redirects and Forwards.

  • Acunetix: A commercial web application security scanner that can be used to identify common vulnerabilities, including Unvalidated Redirects and Forwards.

  • AppScan: A commercial web application security scanner that can be used to identify common vulnerabilities, including Unvalidated Redirects and Forwards.

  • Skipfish: A free and open-source web application security scanner that can be used to identify common vulnerabilities, including Unvalidated Redirects and Forwards.

  • w3af: A free and open-source web application security scanner that can be used to identify common vulnerabilities, including Unvalidated Redirects and Forwards.

  • Arachni: A free and open-source web application security scanner that can be used to identify common vulnerabilities, including Unvalidated Redirects and Forwards.

  • Grendel-Scan: A free and open-source web application security scanner that can be used to identify common vulnerabilities, including Unvalidated Redirects and Forwards.

  • Metasploit: A popular framework for developing and executing exploit code against target systems. It includes various modules for testing web applications, including Unvalidated Redirects and Forwards.

  • sqlmap: A free and open-source tool for testing SQL injection vulnerabilities in web applications. It can also be used to test for Unvalidated Redirects and Forwards.

  • Zed Attack Proxy (ZAP): In addition to its manual testing capabilities, OWASP ZAP also includes an automated scanning mode that can be used to identify Unvalidated Redirects and Forwards vulnerabilities and other web application vulnerabilities.

  • Burp Suite Professional: The professional version of Burp Suite includes a variety of automated scanning features, including Unvalidated Redirects and Forwards vulnerability detection.

  • Netsparker: A commercial web application security scanner that includes an automated scanner for detecting Unvalidated Redirects and Forwards vulnerabilities.

  • Acufweb: A commercial web application security scanner that includes an automated scanner for detecting Unvalidated Redirects and Forwards vulnerabilities.

  • WebInspect: A commercial web application security scanner that includes an automated scanner for detecting Unvalidated Redirects and Forwards vulnerabilities.

  • AppTrana: A cloud-based web application security scanner that includes an automated scanner for detecting Unvalidated Redirects and Forwards vulnerabilities.

  • Detectify: A cloud-based web application security scanner that includes an automated scanner for detecting Unvalidated Redirects and Forwards vulnerabilities.

  • Qualys Web Application Scanning (WAS): A cloud-based web application security scanner that includes an automated scanner for detecting Unvalidated Redirects and Forwards vulnerabilities.

  • IBM Security AppScan: A commercial web application security scanner that includes an automated scanner for detecting Unvalidated Redirects and Forwards vulnerabilities.

Average CVSS score of stack Unvalidated Redirects and Forwards

The Common Vulnerability Scoring System (CVSS) is a standardized system for assessing the severity of security vulnerabilities. The CVSS score is a numerical score between 0 and 10, with a higher score indicating a more severe vulnerability.

The CVSS score of Unvalidated Redirects and Forwards vulnerabilities can vary widely depending on the specific vulnerability and the system being tested. Generally, the CVSS score of an Unvalidated Redirects and Forwards vulnerability can range from low (e.g., 1.0 to 3.9) to high (e.g., 7.0 to 10.0) depending on the impact of the vulnerability and the ease of exploitation.

However, it’s important to note that the CVSS score alone doesn’t provide a complete picture of the severity of a vulnerability, and other factors such as the likelihood of exploitation and the potential impact on an organization should also be considered when assessing the severity of a vulnerability. It’s also important to note that while Unvalidated Redirects and Forwards vulnerabilities can be serious, they are often not as severe as other types of vulnerabilities, such as SQL injection or remote code execution vulnerabilities.

The Common Weakness Enumeration (CWE)

• CWE-601: Open Redirect: This CWE describes the issue of a web application that allows an attacker to redirect a user to a URL of the attacker’s choice. This can be used to trick the user into visiting a malicious website, or to steal sensitive information by redirecting the user to a phishing website.

• CWE-698: Execution after Redirect (EAR): This CWE describes the issue of a web application that allows an attacker to execute code after a redirect has occurred. This can be used to bypass security checks, steal user credentials, or perform other malicious actions.

• CWE-829: Inclusion of Functionality from Untrusted Control Sphere: This CWE describes the issue of a web application that includes code from an untrusted source, such as a third-party library or a user-provided script. This can lead to a variety of vulnerabilities, including Unvalidated Redirects and Forwards.

• CWE-346: Origin Validation Error: This CWE describes the issue of a web application that fails to properly validate the origin of a request. This can allow an attacker to trick the application into processing a request that appears to come from a trusted source, but is actually malicious.

• CWE-434: Unrestricted Upload of File with Dangerous Type: This CWE describes the issue of a web application that allows users to upload files without properly validating the file type or content. This can lead to a variety of vulnerabilities, including Unvalidated Redirects and Forwards.

• CWE-532: Insertion of Sensitive Information into Log File: This CWE describes the issue of a web application that logs sensitive information, such as passwords or credit card numbers, in plaintext. This can lead to a variety of vulnerabilities, including Unvalidated Redirects and Forwards.

• CWE-434: Unrestricted Upload of File with Dangerous Type: This CWE describes the issue of a web application that allows users to upload files without properly validating the file type or content. This can lead to a variety of vulnerabilities, including Unvalidated Redirects and Forwards.

• CWE-285: Improper Authorization: This CWE describes the issue of a web application that fails to properly enforce access controls, allowing an attacker to access sensitive information or perform unauthorized actions.

• CWE-287: Improper Authentication: This CWE describes the issue of a web application that fails to properly authenticate users, allowing an attacker to impersonate a legitimate user and perform unauthorized actions.

• CWE-613: Insufficient Session Expiration: This CWE describes the issue of a web application that fails to properly expire user sessions, allowing an attacker to use an old session ID to impersonate a legitimate user and perform unauthorized actions.

CVES related to Unvalidated Redirects and Forwards

• CVE-2022-22797 – Sysaid &#8211; sysaid Open Redirect – An Attacker can change the redirect link at the parameter “redirectURL” from”GET” request from the url location: /CommunitySSORedirect.jsp?redirectURL=https://google.com. Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

• CVE-2015-5210 – Open redirect vulnerability in Apache Ambari before 2.1.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the targetURI parameter.

• CVE-2015-4134 – Open redirect vulnerability in goto.php in phpwind 8.7 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter.

Unvalidated Redirects and Forwards exploits

  • Phishing attacks: An attacker can use an unvalidated redirect or forward vulnerability to redirect users to a phishing website that looks like a legitimate website, but is designed to steal sensitive information such as usernames and passwords.

  • Malware distribution: An attacker can use an unvalidated redirect or forward vulnerability to redirect users to a website that distributes malware. The malware can be used to steal sensitive information, perform denial-of-service attacks, or take control of the user’s device.

  • Clickjacking: An attacker can use an unvalidated redirect or forward vulnerability to redirect a user to a website that is embedded in a malicious website. The user thinks they are clicking on a button or link on the original website, but they are actually interacting with the malicious website.

  • Cross-site scripting (XSS) attacks: An attacker can use an unvalidated redirect or forward vulnerability to inject malicious code into a website that is displayed to other users. This can be used to steal sensitive information, perform unauthorized actions, or take control of the user’s device.

  • Credential theft: An attacker can use an unvalidated redirect or forward vulnerability to steal user credentials, such as usernames and passwords. This can be done by redirecting the user to a website that looks like a legitimate login page, but is actually controlled by the attacker.

  • Session hijacking: An attacker can use an unvalidated redirect or forward vulnerability to hijack a user’s session and perform unauthorized actions on the user’s behalf. This can be done by stealing the user’s session ID and using it to impersonate the user.

  • DNS hijacking: An attacker can use an unvalidated redirect or forward vulnerability to redirect users to a website that is controlled by the attacker. This can be done by hijacking the DNS server that resolves the domain name of the original website.

  • Social engineering attacks: An attacker can use an unvalidated redirect or forward vulnerability to trick users into clicking on a malicious link or downloading malware. This can be done by sending a phishing email or using a fake social media account.

  • SEO spam: An attacker can use an unvalidated redirect or forward vulnerability to redirect users to a website that is used for search engine optimization (SEO) spam. This can be used to boost the ranking of the attacker’s website in search engine results.

  • Brute-force attacks: An attacker can use an unvalidated redirect or forward vulnerability to launch brute-force attacks against a website’s login page. This can be done by redirecting the user to a script that automatically tries different username and password combinations until it finds a match.

Practicing in test for Unvalidated Redirects and Forwards

OWASP Juice Shop: This is a deliberately vulnerable web application developed by the Open Web Application Security Project (OWASP). It contains various security vulnerabilities, including Unvalidated Redirects and Forwards, which can be used to practice testing skills.

DVWA: The Damn Vulnerable Web Application (DVWA) is another vulnerable web application designed for penetration testing purposes. It has different levels of security vulnerabilities, including Unvalidated Redirects and Forwards.

WebGoat: WebGoat is an intentionally vulnerable web application that is designed to teach web application security. It has various security vulnerabilities, including Unvalidated Redirects and Forwards, which can be used to practice testing skills.

bWAPP: bWAPP (a buggy web application) is a deliberately insecure web application developed by IT security professionals. It contains various security vulnerabilities, including Unvalidated Redirects and Forwards, which can be used to practice testing skills.

HackThisSite: HackThisSite is a website that contains various challenges related to web application security, including Unvalidated Redirects and Forwards. It provides a safe environment for testing and practicing security skills.

Google Gruyere: Google Gruyere is a web application developed by Google that is designed to teach web application security. It has various security vulnerabilities, including Unvalidated Redirects and Forwards, which can be used to practice testing skills.

Damn Web Scanner (DWS): DWS is a web vulnerability scanner that can be used to find security vulnerabilities, including Unvalidated Redirects and Forwards, in web applications.

Netsparker: Netsparker is another web vulnerability scanner that can be used to find security vulnerabilities, including Unvalidated Redirects and Forwards, in web applications.

Burp Suite: Burp Suite is a popular web application testing tool that can be used to find security vulnerabilities, including Unvalidated Redirects and Forwards, in web applications.

Zed Attack Proxy (ZAP): ZAP is another popular web application testing tool that can be used to find security vulnerabilities, including Unvalidated Redirects and Forwards, in web applications.

For study Unvalidated Redirects and Forwards

OWASP: The Open Web Application Security Project (OWASP) is an organization that provides information, tools, and resources for improving the security of software. Their website contains a wealth of information on Unvalidated Redirects and Forwards, including a detailed description of the vulnerability, examples of vulnerable code, and mitigation strategies.

NIST National Vulnerability Database: The National Institute of Standards and Technology (NIST) maintains a database of known vulnerabilities, including Unvalidated Redirects and Forwards. You can use this database to research specific vulnerabilities and learn about their severity and impact.

Books: There are several books available on web application security that cover Unvalidated Redirects and Forwards. “The Web Application Hacker’s Handbook” by Dafydd Stuttard and Marcus Pinto is a comprehensive guide to web application security that covers Unvalidated Redirects and Forwards in detail.

Online courses: There are several online courses available that cover web application security and Unvalidated Redirects and Forwards specifically. Udemy, Coursera, and Pluralsight are some popular platforms that offer these courses.

Conferences and workshops: Attending security conferences and workshops is a great way to learn about Unvalidated Redirects and Forwards and other security vulnerabilities. OWASP and Black Hat are two popular conferences that cover web application security.

Vulnerable web applications: As I mentioned earlier, vulnerable web applications like OWASP Juice Shop, DVWA, WebGoat, bWAPP, and Google Gruyere are excellent resources for practicing and studying Unvalidated Redirects and Forwards. You can use these platforms to test your skills and learn more about the vulnerability.

Books with review of (name)

Web Application Security: A Beginner’s Guide by Bryan Sullivan, Vincent Liu, and Michael Coates. This book provides an overview of web application security and includes a chapter on Unvalidated Redirects and Forwards.

The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws by Dafydd Stuttard and Marcus Pinto. This book is a comprehensive guide to web application security testing and includes a section on Unvalidated Redirects and Forwards.

Hacking Exposed Web Applications: Web Application Security Secrets and Solutions by Joel Scambray, Vincent Liu, and Caleb Sima. This book covers a range of web application security topics, including Unvalidated Redirects and Forwards.

The Tangled Web: A Guide to Securing Modern Web Applications by Michal Zalewski. This book provides an in-depth look at web application security, including common vulnerabilities like Unvalidated Redirects and Forwards.

Web Security Testing Cookbook: Over 100 hands-on recipes to efficiently test web applications for security vulnerabilities by Paco Hope, Ben Walther, and Jeff Williams. This book includes practical recipes for testing web application security, including a section on Unvalidated Redirects and Forwards.

Real-World Bug Hunting: A Field Guide to Web Hacking by Peter Yaworski. This book provides a practical guide to web application security testing, including a chapter on Unvalidated Redirects and Forwards.

Mastering Modern Web Penetration Testing by Prakhar Prasad. This book covers modern web application security testing techniques, including a section on Unvalidated Redirects and Forwards.

Advanced Web Application Penetration Testing with Burp Suite by Sunny Wear. This book provides a comprehensive guide to web application penetration testing using Burp Suite, including testing for Unvalidated Redirects and Forwards.

Gray Hat Hacking: The Ethical Hacker’s Handbook by Daniel Regalado, Shon Harris, and Allen Harper. This book covers a range of ethical hacking topics, including web application security testing and Unvalidated Redirects and Forwards.

Web Application Security Testing with AppScan by Brian Hazzard. This book provides a practical guide to web application security testing using IBM’s AppScan tool, including testing for Unvalidated Redirects and Forwards.

Mitigations for Unvalidated Redirects and Forwards

  1. Input validation: Always validate and sanitize any user input that is used to construct URLs or redirects, and only allow approved URLs to be redirected to.

  2. Use a whitelist: Create a whitelist of approved URLs or domains that your website can redirect to, and only allow redirects to those URLs.

  3. Use secure coding practices: Use secure coding practices to prevent attackers from injecting malicious code into your website, such as input validation, input encoding, and output encoding.

  4. Use HTTP-only cookies: Use HTTP-only cookies to prevent JavaScript from accessing them and reducing the risk of session hijacking.

  5. Use HTTPS: Use HTTPS to encrypt all traffic between the user’s browser and your website, and make sure your website has a valid SSL/TLS certificate.

  6. Limit user access: Limit access to sensitive areas of your website to authorized users only, and use strong authentication and access control measures.

  7. Implement content security policies: Implement content security policies that restrict the types of content that can be loaded on your website, such as prohibiting inline scripts and restricting the domains that can be used to load resources.

  8. Use security headers: Use security headers like Content-Security-Policy, X-Frame-Options, and X-XSS-Protection to help prevent attacks like clickjacking and cross-site scripting.

  9. Regularly update software: Regularly update your web server, application server, and web application software with the latest security patches and updates.

Conclusion

Unvalidated Redirects and Forwards vulnerabilities can be serious security risks for web applications, as they can allow attackers to redirect users to malicious websites or execute unauthorized actions. These vulnerabilities can be exploited by attackers to steal sensitive information, conduct phishing attacks, distribute malware, or compromise the security of the entire application.

To protect against Unvalidated Redirects and Forwards attacks, it’s important to follow secure coding practices, implement input validation and output encoding, use HTTPS, and limit user access to sensitive areas of your application. Additionally, regular vulnerability scanning and penetration testing can help identify and address any vulnerabilities before they can be exploited by attackers.

It’s also important to stay up-to-date on the latest trends and techniques used by attackers to exploit Unvalidated Redirects and Forwards vulnerabilities. By understanding the risks and taking proactive steps to mitigate them, you can help keep your web applications and users safe from harm.

Other Services

Ready to secure?

Let's get in touch