Open Redirect

Share on :

Severity

Low

Impact

Open redirects in some cases only helps with phishing users by making a redirect to a phishing page from a trusted website which may lead to stealing users' credentials, credit card numbers,...etc.

In some other cases open redirects can be more powerfull and can be escalated to another vulnerability ex: XSS, account takeover

How it works?

we will demonstrate a simple example using a php app .

let's see our back-end code:

<?php
if(isset($_GET['redir'])){
$loc = $_GET['redir'];
echo $loc;
header('Location: '.$loc);
}
?>

In this scenario the attacker can redirect users to external websites using the following url : http://example.com/?redir=http://evil.com as the application takes the input from users and directly inject it inside the HTTP response location header

response :

HTTP/1.1 302 Found
Date: Sun, 04 Nov 2018 22:16:45 GMT
Server: Apache/2.4.34 (Debian)
Location: http://evil.com
Content-Length: 18
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8