Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Understanding and Discovering Open Redirect Vulnerabilities

One of the most common and largely overlooked vulnerabilities by web developers is Open Redirect (also known as "Unvalidated Redirects and Forwards"). A website is vulnerable to Open Redirect when parameter values (the portion of URL after "?") in an HTTP GET request allow for information that will redirect a user to a new website without any validation of the target of redirect. Depending on the architecture of a vulnerable website, redirection could happen after certain action, such as login, and sometimes it could happen instantaneously upon loading of a page.

An example of a vulnerable website link could look something like this: https://www.example.com/login.html?RelayState=http%3A%2F%2Fexample.com%2Fnext 

In this example, "RelayState" parameter indicates where to send user upon successful login (In our example it is "http://example.com/next"). If website doesn't validate the "RelayState" parameter value to make sure that target web page is legitimate and intended, attacker could manipulate that parameter to send a victim to a fake page crafted by attacker: https://www.example.com/login.html?RelayState=http%3A%2F%2FEvilWebsite.com

Open Redirect vulnerabilities don't get enough attention from developers because they don't directly damage website and do not allow an attacker to directly steal data that belong to the company. However, that doesn't mean that Open Redirect attacks are not a threat. One of the main uses for this vulnerability is to make phishing attacks more credible and effective.

When an Open Redirect is used in a phishing attack, the victim receives an email that looks legitimate with a link that points to a correct and expected domain. What the victim may not notice, is that in a middle of a long URL there are parameters that manipulate and change where the link will take them. To make identification of the Open Redirect even more difficult, redirection could take place after victim provides login on a legitimate website first. Attackers have found that an effective way to trick a victim is to redirect him to a fake website after they enter their credentials on a legitimate page. The fake website would look identical to a legitimate website, and it would ask the victim to re-enter their password. After the victim re-enters their password it would be recorded by the attacker and victim would be redirected back to a valid website. If done correctly, victim would think that he mistyped password once and would not notice that his username and password were stolen.

Phishing is used in most successful targeted hacks and also regularly in opportunistic attacks. Considering how prominent phishing is in our daily lives, Open Redirect vulnerabilities should not be dismissed.

It would have been unfair to single out any specific website or company as being vulnerable to Open Redirect because so many companies have it. Instead, it's more useful to demonstrate how common those websites are and how easy it is to find them.

Doing a web search is one of the best tools to find Open Redirect on your own website and across a wider Internet.

Google Search allows for a great flexibility in writing search queries, including queries that specifically search through URLs of pages.

The following operators and special symbols allow anyone to craft very targeted Google Searches for finding Open Redirects:

allinurl - operator that tells Google to search within URL for all provided keywords
Example: allinurl:ReturnUrl which searches for web pages that have "ReturnUrl" as part of their URL


site - operator that tells to only return results that are on specific domain or a web site
Example: site:example.com which searches for web pages from example.com


"" - double quotes are a special symbols that used to indicate to search for exact combination of words and symbols within quotes


* - The asterisk is a wildcard that represents one or more words

Using these allows us to search for certain tell tale signs of potential Open Redirect:

We can look for the general presence of "http" or "https" within parameter area of GET request. For instance:

allinurl:%3Dhttps*
allinurl:%253Dhttps*
allinurl:%3Dhttp*
allinurl:%253Dhttp*

We can also search for specific, common words related to forwarding within parameter area of GET request. For instance:

allinurl:"<keyword>=https"
allinurl:"<keyword>=http"
allinurl:<keyword>=https
allinurl:<keyword>=http
allinurl:<keyword>%3Dhttps
allinurl:<keyword>%3Dhttps*
allinurl:<keyword>%253Dhttps
allinurl:<keyword>%253Dhttps*
allinurl:<keyword>%3Dhttp
allinurl:<keyword>%3Dhttp*
allinurl:<keyword>%253Dhttp
allinurl:<keyword>%253Dhttp*
allinurl:<keyword>

Instead of <keyword>, we would use one of the following words typical of redirects: RelayState, ReturnUrl, RedirectUri, Return, Return_url, Redirect, Redirect_uri, Redirect_url, RedirectUrl, Forward, ForwardUrl, Forward_URL, SuccessUrl, Redir, Exit_url, Destination. This is by no means a comprehensive list of keywords. You can find more by analyzing results from the more general queries looking for a URL in the parameter section of the GET request.

For targeted searches, you can add "site:<domain_name>" to the end of your Google Queries. This can help you identify Open Redirect vulnerabilities on your own website.

Using this simple search technique you can find dozens of Open Redirect vulnerabilities within minutes. List of vulnerable websites includes banking websites, websites of international corporations, trusted companies, beloved projects and numerous websites of smaller organizations. As an additional bonus, each time Google's web crawler comes across new website that has Open Redirect, we will get updated results through our queries.

The best way to avoid Open Redirect vulnerability is to avoid redirecting based on parameter controlled by users or supplied through GET method. If redirecting is unavoidable, it can be dealt with by validating a redirect target and sanitizing it using whitelist of approved URLs.

I would encourage you to inform and educate your web developer friends about Open Redirects. You can do it by forwarding this post to them or by finding vulnerabilities using technique mentioned above and reporting directly to company with details. Let's make phishing attacks harder to succeed!

If you would like to share some of your favorite clever Google Queries that you use for vulnerability discovery, please post them in comment section.

Latest SpiderLabs Blogs

Network Isolation for DynamoDB with VPC Endpoint

DynamoDB is a fully managed NoSQL database service offered by Amazon Web Services (AWS). It is renowned for its scalability, dependability, and easy connection with other AWS services....

Read More

The Underdog of Cybersecurity: Uncovering Hidden Value in Threat Intelligence

Threat Intelligence, or just TI, is sometimes criticized for possibly being inaccurate or outdated. However, there are compelling reasons to incorporate it into your cybersecurity defense strategy....

Read More

Clockwork Blue: Automating Security Defenses with SOAR and AI

It’s impractical to operate security operations alone, using manual human processes. Finding opportunities to automate SecOps is an underlying foundation of Zero Trust and an essential architecture...

Read More