Many web applications send users to different pages or domains using redirects, this is nothing new. However, like a lot of vulnerabilities, should the redirect functionality not have sufficient checks in place a malicious user may be able to abuse this for personal gains.
Let me give an example, let’s say we have a password reset page, when a user successfully fills out this page and clicks the reset button they’re often redirected to the login page. You’ll find that this redirect is often specified in the application URL as a GET parameter. I’ll provide a sample URL below.
https://vulnerable-bookstore.com/auth/reset-password?redirect=/loginSo, let’s just take a look at the provided URL. As you can see we have a GET parameter called redirect, this parameter has been given a value of /login. In this use case, the value /login is actually a URL, when the reset functionality is completed or the page has this parameter set the application will access this to see where it should redirect the user to. So what happens if we change this to an alternate location? Let’s see, I have provided an alternate URL below.
https://vulnerable-bookstore.com/auth/reset-password?redirect=https://arctil.comIn this example, we have specified a completely different domain name for the redirect. If the web application in question does not have sufficient checks in place then the application would take the value of the GET parameter, in this case, https://arctil.com, and redirect the user. This is where vulnerabilities can arise. What happens if a malicious user places a malware link in that redirect? Although the URL looks legitimate and is on a trusted website, any user which visits the malicious link would be automatically redirected, often without any page interaction at all, and would then be at greater risk.
How to prevent unvalidated redirects?
Whenever you’re redirecting the users of your website there are a few checks you can put in place to ensure users are only being redirected to valid locations. You can do this a couple of ways the easiest would be to either use a URL whitelist or only redirect to local files.
A whitelist is a list of specified domains to which the redirect would be allowed to send users, if the URL has been modified to an unauthorized URL then the redirect would fail and thus help keep the user safe.
