URL Redirection Flaw

Sourabh Saxena
By Sourabh Saxena

June 10, 2008

Harry gets an email from his bank stating that he has received some promotion offers so he should click on the link below to avail those offers. Harry ensures that the site is authentic by checking the name of his bank in the URL as he is aware of phishing attacks. He finds it to be a genuine URL of the bank, so he clicks the link. On clicking the link the login page of his bank is displayed to him. He enters his username and password on the login page. He gets an error page saying "The server is unable to process your request".

Harry gets an email from his bank stating that he has received some promotion offers so he should click on the link below to avail those offers. Harry ensures that the site is authentic by checking the name of his bank in the URL as he is aware of phishing attacks. He finds it to be a genuine URL of the bank, so he clicks the link. On clicking the link the login page of his bank is displayed to him. He enters his username and password on the login page. He gets an error page saying "The server is unable to process your request".

Harry doesn't realize that he has been tricked into visiting another site without his knowledge.

What happened and how was Harry tricked?

The attacker used the URL redirection flaw to trick Harry. Let's see how this attack worked. Harry banks with Hello-Bank ( https://www.hellobank.com/ ). An attacker has set up a fake site, say http://www.hellobenk.com/

The attacker sent emails to multiple users which contained a URL to click and login to their accounts through the URL provided in the email.

The email that Harry received contained the following URL:

https://www.hellobank.com/local_url?q=http://www.hellobenk.com/login.html/

So when Harry clicked on the URL the request went to www.hellobank.com which redirected the request to the attacker's site i.e. www.hellobenk.com . This happened because the login page of hellobank.com has the URL redirection flaw.

This is how Harry was tricked into visiting another site without his knowledge.

To confuse a user an attacker may also use a URL like this:

https://www.hellobank.com/%6C%6F%63%61%6C%5F%75%72%6C?%71=%77%77%77 %2E%68%65%6C%6C%6F%62%65%6E%6B%2E%63%6F%6D/%6C%6F%67%69%6E%2E%68/

Here the latter part of the URL is embedded in the form of HEX values which makes the URL more confusing to a user who cannot understand it.

How to prevent attackers from exploiting this flaw?

  1. Don't offer this feature.
  2. If the feature is necessary then the application should:
    1. Send the Target URL through a post request in the encoded/encrypted form.
    2. Make a white-list for the servers/URLs for which a redirection is implemented.
    3. Server side validation should be implemented for all the URLs that are used for redirection.
    4. Sensitive data like Session ID etc should not be sent with requests to external sites.
    5. On the redirection page put a link or button for redirecting a user to an external server with a message like "You are leaving the site. Please click button/link for confirmation. Do not enter any sensitive data related to our site in the next pages".

Are there any ways to find if this flaw exists in an application?

Yes there are ways to find this flaw other than going through the application/website. They are as follows:

  1. Use of Search Engines like Google can be done to find out if an application is vulnerable.
    1. Inurl:redirect.php site:hellobank.com
    2. Inurl:redirect site:hellobank.com
    3. Inurl:url site:hellobank.com
  2. Web Robots: These are the programs, also known as spiders, wanderers or crawlers that traverse the web automatically and list down most of the URLs in an application.

Are there different types of URL Redirection?

  1. Looping with single domain forwarding: Single domain forwarding is related to forwarding the traffic through vulnerable URL to a single destination.
  2. For example: http://www.google.com/search_result?q=www.attackersite.com/
    In this example a victim is redirected to a single site i.e. to www.attackersite.com .

  3. Looping with multiple domain forwarding: Multiple domain forwarding is related to forwarding the traffic to multiple sites.
  4. For this a number of URLs can be stored in an array. Now this array can be used in a script to redirect a victim to those web-sites by opening a number of child browsers. Also an attacker may use a script with single URL (and not the array) within a loop for multiple redirections.

References


Tags: Features