Have you ever come across a website article that contains a clickable phrase and when you click on it a new tab opens and you find yourself on a completely different site? It’s likely you have never heard of the URL redirect if you’ve ever wondered why this happened. In fact, URL redirects are a very common practice among website operations. It is used to redirect visitors of your domain to a different URL after clicking on a link from your site. Using your domain name, you can forward it to any website, webpage, etc. that you want.
What Is Open Redirection? Let’s Clear That Up
An open redirect vulnerability exists when the destination of the redirect is provided by the client and it is not filtered or validated. Or in other words, it occurs when a web application or server uses an unvalidated link submitted by a user to redirect visitors to a particular website or page.
How Does an Open Redirect Cause Problems?
Open redirects can expose websites to risks when not properly performed. It is true that allowing users to decide where they want to be redirected seems helpful at first glance, but when exploited, such a feature can seriously compromise application security. As a result, attackers can take advantage of this opportunity to steal data. It is possible to see how dangerous it can be by imagining that an attacker will be able to redirect as well as other users, so we can presume that they will not make good use of it!
An open redirect vulnerability occurs when an attacker manipulates the user’s actions by redirecting them to a malicious website when they click on a link on a trusted website.
Unlike other vulnerabilities, open redirect does not directly harm websites and does not allow users to steal company data directly. Therefore, developers do not pay enough attention to them. Nevertheless, Open Redirect attacks remain a threat.
Examples of Exploiting Open Redirect Vulnerabilities
Hackers tend to exploit the trust of users by using open redirects on legitimate websites. There is a safe URL at the start, and the malicious URL comes later, usually encoded to avoid being detected. The following are a few possible attack options.
Phishing Attacks
Phishing attempts are one of the most obvious uses of crafted malicious URLs. 30% of phishing messages get opened by targeted users and 12% of those users click on the malicious attachment or link. (PurpleSec)
Using a link that appears to point at the original site but redirects to an attacker-controlled URL, an attacker can phish legitimate websites whose redirect end points are displayed along the side of the URL.
This vulnerability occurs when parameter values in a link request contain information that causes a redirection to a new website without verifying the destination of the redirection. An URL parameter is the part after a ‘?’. For instance, if your domain is test.com, an attacker might create the following URL:
https://www.test.com/login.html?url=http//cyberattack.com
The attacker may then send this URL as part of a phishing attempt to redirect the victim to a malicious website cyberattack.com. The attacker would be hoping that test.com at the beginning will have a trustworthy appearance and make them fall for the phishing attack.
In some cases, a website redirect could happen after a certain action, such as login, while in others, it could occur instantly when a page loads. Knowing what a cyber attacker can do in such a case, it’s not hard to guess their favorite places to take advantage of an open redirect vulnerability!
Open redirect vulnerabilities are probably among the main methods that hackers use to steal personal information. For example, you may receive an email claiming that your password is about to expire and ask you to click on a certain link to renew your password. The important thing that happens here is that you probably won’t pay enough attention to the link address while you’re clicking on it and BOOM! Such is the ease of being hacked.
Server-Side Request Forgery (SSRF)
The backend servers of vulnerable web applications can be manipulated by attackers exploiting server-side request forgery vulnerabilities (SSRF). A SSRF attack is typically used by criminals to target systems behind firewalls that are not accessible from an external network. In other words, the server-side application can be targeted by an attacker so that it connects to an arbitrary domain of their choice via HTTP requests.
Take an online shop with different server types on the backend as an example. Each category in the application includes a variety of products, and the data for each product is saved on a different service.
Once you click on a product, the server that hosts the application or current server, makes a connection to the other server to get its data. As an example, we will take this request as follows:
https://youronlineshop.com/product?url=https://otherserver.com/product?id=164
In this case, the server is requesting further information for the product identified by id 164 from the otherserver.com server. Upon receiving this request, the otherserver.com server will find product information and forward it to the main server. As well as displaying the contents on the main server.
A malicious request can be made by manipulating the URL parameter in this example. Here’s an example of what the attacker would do:
If executed without any security protection, this request would display contents of the etc/shadow, sending a victim to a fake webpage created by the attacker.
Here’s How We Can Help
Preventing open redirection vulnerabilities is, therefore, very crucial in light of all the problems an open redirect vulnerability can cause. The steps involved in preventing this vulnerability could be several, however, you must monitor your traffic continuously and decide how it can be improved. It is hackers who are best at implementing security techniques and they are most reliable in this scenario. With white hackers’ assistance, you can stay ahead of cyber criminals in terms of security implementations.