GET-Based Open Redirect

Description

The application can have redirection functionality using a get parameter.

Example

http://example.com/exit.php?url=http://new.example.com

This will redirect the user to http://new.example.com.
Here, URL is supplied as GET parameter. It may have some different names.

Attacker can use http://example.com/exit.php?url=http://attacker.com

If the server is not validating the URL parameter, then this is vulnerable to Open Redirection.

Depending on the implementation, sometime Open-Redirect can be used client-side code execution(Javascript), like http://example.com/exit.php?url=javascript:alert(document.domain)

Impact

  • An attacker can use this to redirect users to a malicious site that may spread malware or may be used for phishing.

Prevention

  • Avoid user-input based URL Redirections.
  • Use some internal id, which should resolve to the actual redirect URL if you need it at all.
  • Give redirect warning page and redirect only of user click the I agree button.