GET-Based Open Redirect
Description
The application can have redirection functionality using a get parameter.
Example
http://example.com/exit.php?url=http://new.example.com
This will redirect the user to http://new.example.com.
Here, URL
is supplied as GET parameter. It may have some different names.
Attacker can use
http://example.com/exit.php?url=http://attacker.com
If the server is not validating the URL
parameter, then this is vulnerable to Open Redirection.
Depending on the implementation, sometime Open-Redirect can be used client-side code execution(Javascript), like
http://example.com/exit.php?url=javascript:alert(document.domain)
Impact
- An attacker can use this to redirect users to a malicious site that may spread malware or may be used for phishing.
Prevention
- Avoid user-input based URL Redirections.
- Use some internal id, which should resolve to the actual redirect URL if you need it at all.
- Give redirect warning page and redirect only of user click the
I agree
button.