Unvalidated Redirects and Forwards
Unvalidated Redirects and Forward Vulnerability, also sometimes referred to as URL Redirection Vulnerability, is a type of bug found in the Web Application. In this type of vulnerability, the attacker uses to manipulate the URL and sends it to the victim. As soon as the victim opens the URL, the website redirects it to a malicious website or website to which the attacker wants the user to get redirected. The attacker generally uses to exploit this type of Vulnerability with the help of manual manipulation in the URL or with the help of several tools like Burpsuite, which gives an attacker several types of ways due to which he can manipulate the URL to get Redirected.
How does URL Redirection work?
First of all, we need to get a brief idea about the HTTP Response Codes. So here are the response codes:
- 1×× Informational
- 2×× Success
- 3×× Redirection
- 4×× Client Error
- 5×× Server Error
The above HTTP Status code tells us about the response that we receive from a website. So for URL redirection, generally, 3xx Codes are redirection codes that say to the user that this URL is going to get redirected to some other page. The attacker takes advantage of this and tries to inject their payloads or manipulate the URL to send the victim to their malicious website. Below is the screenshot of the Burpsuite via which an attacker can add filters and can find out specific URLs having 3xx codes.
The above image is only showing those URLs which have a 3xx code. Now we have to check the specific parameters in the URL, for example (dest, redirect, url, path, continue, URL, navigation), etc. The URL would be somewhat like this https://www.xyz.com/continue=www.xyz.com/abc. So the attacker removes the entire URL after “Continue” and adds his phishing page URL, which might be as an exact copy of the original webpage.
Step by Step Working of Attack –
- Attacker Intercept the request of URL in Burpsuite.
- Send the request to Spider.
- Check for the parameters & when found, send the request to the repeater tab.
- Attacker Choose the target location, where to apply your payload.
- Start attack.
By following the above steps, an attacker will get the list of particular URLs where the website is successfully redirected.
Impacts of the Attack –
- Attacks like CSRF can be chained via this bug
- XSS (Cross-Site Scripting) can be exploited in this case
- Theft of confidential Information
- Users can be tricked on a phishing page and can be exploited in several ways.
Remediations of Unvalidated Redirects & Forwards Vulnerability –
- Remove redirection functions from the Web Application & replace them with direct links
- A server-side list should be maintained for all the particular URLs that are needed to be redirected
- Proper Validation in the URL those are redirecting must be integrated at the backend
- Absolute URLs must be used in the Web Applications for all the specific redirects.