What is an Open Redirect Vulnerability?
An Open Redirect Vulnerability entails an attacker manipulating the user and redirecting them from one site to another (one with untrusted sources or even one made with malicious purposes in mind). The cybersecurity community doesn’t put enough emphasis on Open Redirect Vulnerabilities because it is most commonly connected to phishing scams and social engineering.
However, Open Redirect Vulnerabilities can help attackers in a whole host of ways that go far beyond phishing. The true risk of this vulnerability is when it is utilized and combined with Server Side Request Forgery, XSS-Auditor bypass, Oauth-flow, and so on. We will cover these in-depth later on in this post.
Different kinds of Open Redirects
Header-Based Open Redirection
– It asks a browser to redirect a URL
– It provides information regarding the location of a resource that was recently created.
When Open Redirect becomes an issue
As we’ve mentioned before, most people just assume Open Redirects are always tied to phishing scams and social engineering. But they underestimate Open Redirects and how they can be used in conjunction with various attacks.
Let’s discuss how Open Redirect is used to steal users’ confidential information and data. Implementation of an Oauth-flow is best when an attacker wants a victim to sign up or log into any popular platform like Google, Facebook, Twitter, Linkedin, etc. A link will send the victim to the legit website in question (Instagram for example), and then the victim needs to enter their login information. But, then a redirect happens that sends the victim back to a bogus website that’s identical to the real one and the victim is asked to enter their data again, saying the username or the password was incorrect. That’s how your information is stolen, and then the attacker can exploit your information in many ways. Facebook deals with this by requesting a match between redirect_uri and a pre-configured URL, and if there is a mismatch, the redirection is denied. Unfortunately, most other platforms and services don’t do this.
In addition, we have Server Side Request Forgery and the Cross-site Scripting Auditor bypass. SSRF is an attack that can compromise a server. Exploiting an SSRF vulnerability makes it easy for a hacker to target the internal systems that hide behind a firewall or filters. Open Redirect is extremely useful when someone needs to bypass these filters. This way the attacker can access content from a domain that can redirect to any number of places. This is how a hacker enters a server and gets free reign to go wherever they please by combining Open Redirect with his SSRF.
Then there’s the Cross-site Scripting (XSS) Auditor bypass. Google Chrome, for example, has a built-in XSS-auditor which stops most attacks from going through. But, there’s a way to bypass this by using an Open Redirect. Since this XSS-auditor has no way to stop an attacker from including a bunch of scripts that are hosted at the identical domain. Then the Open Redirect lets you avoid the XSS-auditor with code like:
How to avoid Open Redirect vulnerabilities?
Try to avoid redirects completely if possible, especially those supplied via the GET method or ones that are based on user-controlled parameters. However, if avoiding the usage of redirecting isn’t an option these are the solutions:
– Whitelist your trustworthy URLs
– Implement a process that will validate a redirected target and sanitize it afterward
– Make developers aware of how Open Redirect vulnerability isn’t just used in a phishing scam and how hackers use them to exploit other vulnerabilities
NexDAST to the rescue
Another excellent way of remedying Open Redirect vulnerability is by utilizing NeuraLegion’s NexDAST. A black-box security testing solution that examines your application, APIs, or WebSockets and tries to find a vulnerability. NexDAST is an automatic scanner that finds both standard and major security vulnerabilities on its own, without any human assistance. Because of this, our NexDAST solution is an excellent remedy for Open Redirect vulnerabilities as it can locate them swiftly and send alerts with remediation guidelines to the devs or automatically open tickets in the company’s bug tracking tool.
If you wish to learn more about our NexDAST solution, we have a blog that provides additional information and outlines its advantages. Anyone that read the blog and decided to try NexDAST can request a demo here. If you’re interested in our cutting-edge security solutions you can check out our Linkedin page for more content and you can even leave a comment about your thoughts on this blog!