What are Redirects?
Redirect means allowing a website to forward the request for the resources to another URL/endpoint. Let’s assume that you make a request to davindertutorials.com and davindertutorials.com can redirect you to another website(new-davindertutorials.com), so you’ll end up at new-davindertutorials.com even though the original request was made for davindertutorials.com. This is called “redirection”. There are different types of redirects in HTTP, check em out below.
Now Lets understand this vulnerability:
An attacker can construct a URL within the application that causes a redirection to an external domain. This behavior is well known for doing phishing attacks against users of the application.
- 300 Multiple Choices
- 301 Moved Permanently
- 302 Found
- 303 See Other
- 304 Not Modified
- 305 Use Proxy
- 307 Temporary Redirect
- 308 Permanent Redirect
Why is this an issue?
.com, a TRUSTED website allows you to redirect to any other website. Then a malicious user can simply redirect
attacker.com, and people fall for it all the time believing that it’s trusted, but infact, it’s not. So allowing redirects to any website without a stop in the middle or without a proper notification for the user is Bad.
https://example.com/. And let’s assume that there’s a link like
https://example.com/loginwhich is specified in the HTTP GET Parameter
attacker.comafter the signup, this means we have an open redirect vulnerablility. This is a classic open redirect vulnerability.
Why does this happen?
redirect_urlparameter and redirects to that url using the
uand blindly redirects it to the specified url.
window’s object. This will cause a redirect. If there are no checks inplace, then it’s a bug.
contentand also you can specify the refresh delay time.
How to find them?
- Visit every endpoint of the target to find these “redirect” parameters.
- View your proxy history, you might find something. Make sure to use filters.
- Bruteforcing helps too.
- Google is your friend, example query:
- Understand and analyze where the redirection is needed in the target application like redirecting to dashboard after login or something like that.
Some tricks to find this bugs
- Test for basic modification of the url like
- Try with double forward slashes
email@example.com. In this case the interpretation will be like, the
target.comis the username and
attacker.comwill be the domain.
target.com/?image_url=attacker.com/.jpgif there’s an image resource being loaded.
- Try IP address instead of the domain name.
- You can go further in terms of representing the IP in decimal, hex or octal.
- You can also try
target.com/?redirect_url=target.com.attacker.comto bypass weak regex implementations.
- Chinese seperator 。 as the dot –
- Test for String reverser unicode(“u202e”)
- No slashes
- Back slashes
- Different domain
redirect_url=.jpresulting in redirection of
target.com.jpwhich is not the same as
- Try some unicode(including emojis) madness
𝐀ttacker.com(‘𝐀’ is “uD835uDC00”).
example.com. It has a password recovery page at
example.com/forgot-password. You enter the email and you click on Forgot Password button, and it’ll send you an email with a password reset link, and this link might look like
redirectparameter and change it to
- Only use redirects if you really want em.
- If you want to use them, make sure you properly check the whitelisted domains and allow the matched ones.