CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
URL Redirection to Untrusted Site ('Open Redirect')
Weakness ID: 601 (Weakness Variant)
Status: Draft
Description
Description Summary
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
Extended Description
An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.
Alternate Terms
Open Redirect
Cross-site Redirect
Cross-domain Redirect
Time of Introduction
Architecture and Design
Implementation
Applicable Platforms
Languages
Language-independent
Architectural Paradigms
Web-based
Common Consequences
Scope
Effect
Access Control
Technical Impact: Bypass protection
mechanism; Gain privileges / assume
identity
The user may be redirected to an untrusted page that contains malware
which may then compromise the user's machine. This will expose the user
to extensive risk and the user's interaction with the web server may
also be compromised if the malware conducts keylogging or other attacks
that steal credentials, personally identifiable information (PII), or
other important data.
Access Control
Confidentiality
Other
Technical Impact: Bypass protection
mechanism; Gain privileges / assume
identity; Other
The user may be subjected to phishing attacks by being redirected to
an untrusted page. The phishing attack may point to an attacker
controlled web page that appears to be a trusted web site. The phishers
may then steal the user's credentials and then use these credentials to
access the legitimate web site.
Likelihood of Exploit
Low to Medium
Detection Methods
Manual Static Analysis
Since this weakness does not typically appear frequently within a
single software package, manual white box techniques may be able to
provide sufficient code coverage and reduction of false positives if all
potentially-vulnerable operations can be assessed within limited time
constraints.
Effectiveness: High
Automated Dynamic Analysis
Automated black box tools that supply URLs to every input may be able
to spot Location header modifications, but test case coverage is a
factor, and custom redirects may not be detected.
Automated Static Analysis
Automated static analysis tools may not be able to determine whether
input influences the beginning of a URL, which is important for reducing
false positives.
Other
Whether this issue poses a vulnerability will be subject to the
intended behavior of the application. For example, a search engine might
intentionally provide redirects to arbitrary URLs.
Demonstrative Examples
Example 1
The following code obtains a URL from the query string and then
redirects the user to that URL.
(Bad Code)
Example
Language: PHP
$redirect_url = $_GET['url'];
header("Location: " . $redirect_url);
The problem with the above code is that an attacker could use this
page as part of a phishing scam by redirecting users to a malicious
site. For example, assume the above code is in the file example.php. An
attacker could supply a user with the following link:
The user sees the link pointing to the original trusted site
(example.com) and does not realize the redirection that could take
place.
Example 2
The following code is a Java servlet that will receive a GET request
with a url parameter in the request to redirect the browser to the address
specified in the url parameter. The servlet will retrieve the url parameter
value from the request and send a response to redirect the browser to the
url address.
(Bad Code)
Example
Language: Java
public class RedirectServlet extends HttpServlet {
The problem with this Java servlet code is that an attacker could use
the RedirectServlet as part of a e-mail phishing scam to redirect users
to a malicious site. An attacker could send an HTML formatted e-mail
directing the user to log into their account by including in the e-mail
the following link:
(Attack)
Example
Language: HTML
<a
href="http://bank.example.com/redirect?url=http://attacker.example.net">Click
here to log in</a>
The user may assume that the link is safe since the URL starts with
their trusted bank, bank.example.com. However, the user will then be
redirected to the attacker's web site (attacker.example.net) which the
attacker may have made to appear very similar to bank.example.com. The
user may then unwittingly enter credentials into the attacker's web page
and compromise their bank account. A Java servlet should never redirect
a user to a URL without verifying that the redirect address is a trusted
site.
An open redirect vulnerability in the search
script in the software allows remote attackers to redirect users to
arbitrary web sites and conduct phishing attacks via a URL as a parameter to
the proper function.
Open redirect vulnerability in the software allows
remote attackers to redirect users to arbitrary web sites and conduct
phishing attacks via a URL in the proper
parameter.
Potential Mitigations
Phase: Implementation
Strategy: Input Validation
Assume all input is malicious. Use an "accept known good" input
validation strategy, i.e., use a whitelist of acceptable inputs that
strictly conform to specifications. Reject any input that does not
strictly conform to specifications, or transform it into something that
does.
When performing input validation, consider all potentially relevant
properties, including length, type of input, the full range of
acceptable values, missing or extra inputs, syntax, consistency across
related fields, and conformance to business rules. As an example of
business rule logic, "boat" may be syntactically valid because it only
contains alphanumeric characters, but it is not valid if the input is
only expected to contain colors such as "red" or "blue."
Do not rely exclusively on looking for malicious or malformed inputs
(i.e., do not rely on a blacklist). A blacklist is likely to miss at
least one undesirable input, especially if the code's environment
changes. This can give attackers enough room to bypass the intended
validation. However, blacklists can be useful for detecting potential
attacks or determining which inputs are so malformed that they should be
rejected outright.
Use a whitelist of approved URLs or domains to be used for
redirection.
Phase: Architecture and Design
Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page.
Phase: Architecture and Design
Strategy: Enforcement by Conversion
When the set of acceptable objects, such as filenames or URLs, is
limited or known, create a mapping from a set of fixed input values
(such as numeric IDs) to the actual filenames or URLs, and reject all
other inputs.
For example, ID 1 could map to "/login.asp" and ID 2 could map to "http://www.example.com/". Features such as the ESAPI AccessReferenceMap [R.601.4] provide this capability.
Phase: Architecture and Design
Ensure that no externally-supplied requests are honored by requiring that all redirect requests include a unique nonce generated by the application [R.601.1]. Be sure that the nonce is not predictable (CWE-330).
Note that this can be bypassed using XSS (CWE-79).
Phases: Architecture and Design; Implementation
Strategy: Identify and Reduce Attack Surface
Understand all the potential areas where untrusted inputs can enter
your software: parameters or arguments, cookies, anything read from the
network, environment variables, reverse DNS lookups, query results,
request headers, URL components, e-mail, files, filenames, databases,
and any external systems that provide data to the application. Remember
that such inputs may be obtained indirectly through API calls.
Many open redirect problems occur because the programmer assumed that
certain inputs could not be modified, such as cookies and hidden form
fields.
Phase: Operation
Strategy: Firewall
Use an application firewall that can detect attacks against this
weakness. It can be beneficial in cases in which the code cannot be
fixed (because it is controlled by a third party), as an emergency
prevention measure while more comprehensive software assurance measures
are applied, or to provide defense in depth.
Effectiveness: Moderate
An application firewall might not cover all possible input vectors. In
addition, attack techniques might be available to bypass the protection
mechanism, such as using malformed inputs that can still be processed by
the component that receives those inputs. Depending on functionality, an
application firewall might inadvertently reject or modify legitimate
requests. Finally, some manual effort may be required for
customization.
Background Details
Phishing is a general term for deceptive attempts to coerce private
information from users that will be used for identity theft.
Description
