Open Redirect.
Open Redirect Tutorial; Exploitation, Bypasses...
Open Redirect
What is Open Redirect?
An open redirect vulnerability occurs when an application allows a user to control a redirect or forward to another URL. If the app does not validate untrusted user input, an attacker could supply a URL that redirects an unsuspecting victim from a legitimate domain to an attacker’s phishing site.
Exploitation.
Basic Open Redirect Exploitation.
In the following image, we can see that hovering our mouse over the button, we are redirected to https://google.com.
We can copy the full URL “Copy link” and modify the redirection to point to our malicious server. We can perform the same action using Burpsuite. Regardless of the method, if the redirection is not sanitized, we will be redirected to the specified domain.
Open Redirect Bypasses.
There are several ways to sanitize an Open Redirect and the following are some of the possible bypasses we can use:
Input Validation.
One of the most common types of validation is the Input Validation or Filter Validation.
If we want the redirect to work, it must contain the word or full URL specified by the server, In this example, we cannot execute our desired redirection beacause it does not contain “https://www.google.com”.
We will use @ to bypass this type of redirection.
@ Bypass
The @ character is interpreted by browsers in a special way, as it is used in the URL structure to separate the ‘username:password’ from the host.
http://username:password@domain.com
With this information in mind we will write the URL that the server needs to work + @ + attackerURL.
Using this method we will use “https://www.google.com” as the username of our malicous URL.