Detectify
Knowledge Base

Back to Knowledge Base

Support Center

Open Redirect

Last Updated: Sep 05, 2017 05:05PM CEST

An open redirect occurs if an application takes a parameter and redirects the user to that URL without any other validation.

What can happen?

In most cases, Open Redirect is very easy to exploit, which increases the likelihood of someone finding the vulnerability and abusing it. However, the potential impact of Open Redirect is not necessarily that dangerous. It is mostly used in phishing attacks or in a chain attacks where Open Redirect is only one of the multiple elements used.

Example of Open Redirect

A website uses a URL like this one to redirect users to its forum:
https://example.com/redirect.php?url=forum.php

In a situation like this, the attacker could simply change the redirect parameter to one of their choice and, by doing so, trick the user into visiting the attacker’s site. That could look something like this:
https://example.com/check.php?redirect=https://evil.site

Remediation

There are a few possible ways to remediate this issue.

  • Try to avoid redirects altogether. In most cases, they are not needed.
  • If a redirect is necessary, do not trust user input for its destination.
  • Map the destination input to a value that the server then translates to the original value before doing the redirect. This prevents the attacker from changing it.
  • Have a whitelist of URLs - this can be done with regex. Be carefully with this as it's easy to make mistakes without realizing.
  • If none of the above is possible, force all redirects to a page where the user will have to click a button to confirm they are leaving your site.

One common, but insufficient, remediation method is ensuring that the URL starts with a ‘/’. An attacker could easily bypass that by just using ‘//’ instead of  ‘https://’.



Video

Resources

support@detectify.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete