URL Redirection – Prevention and Detection of Malicious Redirects

12

Let’s scramble the word here to get the meaning. URL (Uniform Resource Locator) means to locate the resource in the web world in a uniform way and Redirection means redirecting to another source. What’s there in using this vulnerability on a web application. An attacker can gain the trust of a user. For example, the attacker will make a phishing attempt by sending a trusted website link to the user. Users will think it is from a known website which they trust when the user clicks the URL. They land up in the attacker’s plot. An attacker can do anything with it. Like requesting personal information to many.

As I’ve already stated that this is a vulnerability(weakness) in the web application. To secure the application there are numerous ways. Let’s see from the code standpoint first.

Never Trust user-controlled data – Parameter based

The application will have the functionality to accept user input to process. For example, to navigate the user to his profile settings in another domain internally usually in single sign-on authentication (SSO). Now, the URL redirect function will be called in the code to complete this function. But, the application doesn’t know that the request coming is from a legitimate user or an illegitimate user. Failing to validate this input. The function will redirect the application to user-supplied input.

Some of the functions which does this url redirect are:

Java

response.sendRedirect("http://www.example.com");

PHP

<?php

header("Location: http://www.example.com");

exit;

?>

ASP .NET

Response.Redirect("~/login/account.aspx")

Note: ASP .NET MVC 1 & 2 websites are vulnerable to this redirection attack. It is best to use MVC 3. Refer (https://docs.microsoft.com/en-us/aspnet/mvc/overview/security/preventing-open-redirection-attacks)

Session restoration:

Application will have functionality to restore the user activity or land on last page user used. It is to give the user-friendly environment.

https://example.com/login?returnUrl=/account

This can be tricked during penetration testing. The functionality works like once the user logs in again, land him on the same page which he used before session expiry. Now, the analyst can trick by providing an external domain in the place of the account and check whether the application does redirect or not. If it does then the application is vulnerable

https://example.com/login?returnUrl=https://www.demosite.com

DOM Based

Javascipt can acquire data directly from web browser. Lets see javascripts sinks first. If you hit the below url in the browser, the browser will not send the #scores  to application. Because, #scores was already available to the browser and it can be taken using javascript.

https://example.com/#scores

If the application uses below code. Then it would lead to open redirect.

window.location = window.location.hash.substr(1)

How attacker can know this feature. Manual validation is needed to identify. Burp will report the combination of javascript sinks and redirect functions.

Attacker can use this to craft the link to redirect it to his site by phish attempt.

https://example.com/#https://www.demosite.com

So, it is much needed to check the javascript manually to find this vulnerability rather than checking the HTTP traffic alone. Because this type of DOM-based attribute is not seen in normal Burp HTTP traffics.

Preventive Measures:

  • Always validate the request from the client before processing it. It is far better to have internal check than trusting external tools to do the work which can be taken for additional security.
  • If possible, have direct links in the code hardcoded.
  • Have the list of internal domain url and refer it from the request identifier. Then pass the relevant url from application after checking the user role. In this way we are blocking user supplied url and also validating the user role whether authorized to view the requested information or not.
  • Application should use redirection function with appending the value after domain.
  • Ultimately application knows where to redirect. So, when the request comes from the user, a function can be used to match the value with list of redirect urls. If everything matches then it can append only the user value to the redirect url and issue it to client.
  • Restrict javascript URI such as javascript:alert(1) because it may lead to XSS attack.
  • Use of regex is suggested at max that this function is needed to allowed. Filter the values and process clean requests alone.

Detection in SIEM logs

  • Check for the HTTP status codes 3xx in logs such as Web application firewall, Next-generation firewall, and application logs which as collected as a business priority.
  • Do a gap time analysis to statistical view to understand the frequency of connection redirected to the landing page. How often it occurs?
  • Review the HTTP methods such as ( GET, POST, etc ) with the 3xx to confirm the possible actions of malicious requests.
  • Check the CSP ( content security policy ) in logs, where third-party applications are trusted by the organization or not?
  • Check your vulnerability scanner results whether the application has any code flaws and yet to be fixed.
  • Inspect the external communicated URL ( https://example.com/#https://www.demosite.com ), Threat level with virus total, urlscan.io, Shoud i click , etc.
  • Monitor your WAF traffic closely, which can indicate if a site has tampered with or not.
  • If your organization is using RASP ( Runtime Application Self-Protection ), check the Unvalidated Redirects logs and check whether it is blocked or allowed.
  • Validate the HTTP headers hostnames using publicly available threat intel such as ( Virustotal etc ).
  • Map and detect the request originating internal IP address and check the connection is established only from one Ip address or multiple.
  • If the site is legitimate and still a request is made to the malicious site, sandbox the legitimate site and review the source codes to find any malicious websites which can be hiding in encoded format also.

Also Read : URL Forward – Prevention and Detection of Malicious Forwards

12 COMMENTS

  1. you are truly a just right webmaster. The site loading velocity is incredible.
    It sort of feels that you are doing any unique trick. Furthermore, The contents are masterwork.
    you’ve done a fantastic job in this topic!

  2. It’s a pity you don’t have a donate button! I’d most certainly donate to this
    outstanding blog! I guess for now i’ll settle for bookmarking
    and adding your RSS feed to my Google account.
    I look forward to brand new updates and will share this blog
    with my Facebook group. Chat soon!

  3. Hello! I could have sworn I’ve been to this website
    before but after looking at some of the posts I realized it’s new to me.
    Anyhow, I’m certainly pleased I found it and I’ll be bookmarking it and checking back frequently!

  4. You’re so awesome! I do not suppose I’ve read something like that before.
    So nice to find someone with a few unique thoughts
    on this subject. Really.. thank you for starting
    this up. This website is one thing that’s needed on the internet,
    someone with some originality!

  5. Hey! Ι know tһis is kinda οff topic bսt I was wpndering which blog platform аre you uѕing for this website?
    I’m gеtting tired of WordPress because I’ve
    had issues with hackers and I’m lo᧐king at alternatives for аnother platform.
    Ι would be fantastic if yоu coսld poіnt me in the direction oof а good platform.

    Here is my web blog; this page

  6. Definitely consider that which you said. Your favourite justification appeared
    to be on the net the easiest thing to be mindful of.

    I say to you, I certainly get irked while other folks think about worries
    that they just do not realize about. You managed to hit the nail upon the highest and also outlined
    out the whole thing with no need side effect , other folks can take a signal.
    Will probably be back to get more. Thank you

LEAVE A REPLY

Please enter your comment!
Please enter your name here