Open redirects – a vulnerability class no one but attackers cares about(stevetabernacle.github.io) |
Open redirects – a vulnerability class no one but attackers cares about(stevetabernacle.github.io) |
Open redirects are worth fixing, but they're a lot more common than I think people expect they are. I think the severity:low the "good" (unconstrained, straightforward links, persistent, across all browsers) ones get is well measured.
I see open redirects as sort of the archetype of the "t-shirt vulnerability" --- the one the bug bounty sends you swag, instead of cash, for finding.
It presented a page which claimed to be an age flagged video - at the time youtube was having many problems with age flagging videos - and sure enough many people tried to login to it - they looked at the "(youtube.com)" text on reddit, they looked at their browser when they first clicked the link, but they never noticed when the URL changed to offsite when they had to login. It never struck them that a legitimate youtube link could have sent them offsite.
The solution most of those people arrived was simple though: use password managers which will force some extra suspicion if the login page doesn't behave as expected.
EDIT: Found the link and discussion, https://old.reddit.com/r/programming/comments/bpy7h/think_yo...
By the numbers it looks like about 1/2 the people who made it to the sign in page made it to the submit page. That's a pretty good result especially given that it's a technical subreddit and people were primed with "think you're immune to phishing attacks"...
That Reddit shows the domain name next to the link (HN also) is, I think, the key here—it casually set expectations. Most link situations won’t be like that, and so I’m broadly with tptacek, that it’s not actually so useful. Plus, businesses commonly use all sorts of different domains, rather than subdomains, and something like yourbank-security.com instead of yourbank.com may not even raise eyebrows—to say nothing of people probably not even twitching at login.yourbank.com.evil.com anyway.
I agree that the impact is low compared to other vulnerabilities. It is definitely the case that you get a t-shirt (at best) for it. Though, my point is that they could be critical for the users, not for the website itself. An attacker that don't really care about the vulnerable website can still exploit the trust in the vulnerable website to perform attacks on the user he is interested in (e.g. hash stealing or malicious redirects). In fact, I believe malicious redirects is a really common payload of XSS flaws.
I guess if your argument is that there would be high value in eradicating open redirects wholesale, I sort of see your point. But the incremental value of eliminating one open redirect is marginal at best.
Back then, it seemed reasonable to not consider this a real security flaw. Now that everyone has a Google account, the possibility of credential theft seems like something worth taking seriously.
At the very least, either host the redirect on a domain that is clearly distinct from the domain users log into, or ignore the destination parameter if the referrer is not a trusted source.
Now I'm wondering if this is also a potential vector for DDoS attacks against a third party. Widely distribute links "to a cute puppy on Instagram" that redirect to a URL that triggers a resource-intensive search operation on the victim's server? (Bonus points if the redirect points to a page that loads an actual cute puppy in one frame, and targets the victim with a 1-pixel frame.)
It sounds like a stretch, but I can't rule the possibility out. Even if it can't be used to launch a DDoS, I could see it being used for advertising fraud.
Not sure I follow - is the idea to redirect from google.com to an attacker's site that spoofs the Google login page? I think we'll get more mileage out of solving that with origin-aware authentication mechanisms (password managers, U2F, WebAuthn, etc.) and perhaps address bars that show the eTLD+1 instead of / more prominently than the full URL. Phishing is already a problem even without open redirects.
> Widely distribute links "to a cute puppy on Instagram" that redirect to a URL that triggers a resource-intensive search operation on the victim's server?
Keep in mind that unrelated web pages can send GET requests to each other by just using an image tag, so if your website has a resource-intensive search delivered over GET and no automation to detect suspicious behavior and spikes in certain types of requests, you're already vulnerable to this via e.g. someone submitting an interesting blog page to HN that loads youe search page as a resource. Either make it POST or add some HTTP-level DDoS protection a la Cloudflare.
Same with advertising fraud - ad clicks should be POSTs. (Open POST redirects do seem more dangerous but are probably rare.)
Everything else in your comment is spot on.
I have previously been awarded a bug bounty by Google for an issue that leveraged open redirects on victim sites to hijack their link equity (PageRank): http://www.tomanthony.co.uk/blog/google-login-hijack/
It would have allowed a non-trivial financial impact on victim companies.
Secondly, I submitted an issue to Google which leveraged open redirects on their properties to hijack the login flow (i.e. a user is on an official Google page, selects a user and is redirected to an attacker for the password prompt - halfway through the login flow, when a user has likely already established they are on a real site): http://www.tomanthony.co.uk/blog/google-login-hijack/
Sometimes open redirects are unavoidable, but all too often they aren't necessary and so it is simply lazy to not fix them and point to Google and others who mark them as WONTFIX as reason not to bother doing so yourself.
Is there another redirect attack I'm not aware of? The other attacks on redirect generally involve gaining access to some other page on the client you are attacking and using that as a redirect which the provider will often allow if it's only validating the domain. That's not really an open redirect, however...
Am I missing something?
Spammers were sending out emails containing links to `example.gov.uk/redirect?url=dodgy-viagra.ph` - and certain spam filters were trained to whitelist "trusted" domains.
You also see a lot of open redirect abuse on forums - especially where they're configured to only show the first few dozen characters of a link.
I believe it's worth fixing these, not only because it gets penetration tests to shuddup, but because cybercreeps...
It's silly that these big tech companies won't fix them.
That said, how useful is an open redirect attack really?
In the past, one solution was to HMAC the destination URL with a time component (i.e. the redirect is only valid for a short period of time).
Today, you can check the origin header when your user lands on the redirect page or just tell the browser what information you want in the referrer (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Re...).
The better option is an encrypted blob containing all relevant data and a timing component. Of course those thing do require effort. It makes it opaque for everyone but the server handling the redirect.
A nice benefit of using a framework like angular, Vue, react, etc, is that they prevent attacks like this unless you explicitly disable those features.
This covers what the vulnerabilities are, how they happen, how they work, and how to prevent them. It's not exhaustive, because that list would be endless, but it's one of the best resources for a web developer who is not a security practitioner.
I don't think Toys R Us was ever harmed but it was mildly amusing and I'm sure a few people's panties got knotted after they found out Toys R Us doesn't actually sell firearms and they got all enraged over nothing.