Logo Light

Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 56: Insecure Redirects and Forwards

by | Jul 11, 2025 | 0 comments

Objective

Learn how to exploit Insecure Redirects and Forwards to trick users into visiting malicious websites or bypass authentication mechanisms. Understand how to prevent these vulnerabilities by validating redirect URLs, using allow-lists, and enforcing secure redirect mechanisms.

Scenario

You are testing a web application that redirects users to a specified URL after login using a query parameter. Due to insufficient validation, an attacker can manipulate the redirect URL to send users to a malicious website.

Lab Setup

Prerequisites:

  • Basic knowledge of PHP and web servers.
  • XAMPP/LAMP/WAMP stack installed (or any web server with PHP support).
  • Tools like Burp Suite or browser developer tools for intercepting and modifying requests.

Step 1: Create the Vulnerable Web Application

  1. PHP Script for Vulnerable Redirects
    • Create a file login.php: <?php if (isset($_POST['login'])) { $username = $_POST['username']; $password = $_POST['password']; // Simple authentication check if ($username === 'admin' && $password === 'password') { $redirect_url = $_GET['redirect_url'] ?? 'dashboard.php'; header("Location: $redirect_url"); exit; } else { echo "<h2>Invalid Credentials</h2>"; } } ?> <h2>Login</h2> <form method="POST" action=""> Username: <input type="text" name="username" required><br> Password: <input type="password" name="password" required><br> <button type="submit" name="login">Login</button> </form>
  2. Dashboard Page
    • Create a simple file dashboard.php: <?php echo "<h2>Welcome to the Dashboard!</h2>"; ?>
  3. Running the Application
    • Start the Apache server.
    • Place both login.php and dashboard.php in the web server’s root directory (htdocs for XAMPP).
    • Open http://localhost/login.php in your browser.

Exploitation Steps

Step 1: Crafting a Malicious Redirect

  1. Craft a URL to exploit the redirect: http://localhost/login.php?redirect_url=http://attacker.com
  2. Enter valid login credentials (admin / password).
  3. Expected Result:
    • After logging in, the user is redirected to http://attacker.com instead of dashboard.php.

Step 2: Phishing Scenario

  1. The attacker sends a phishing link like: http://victimsite.com/login.php?redirect_url=http://malicious.com
  2. Expected Result:
    • Victims are redirected to a fake website that looks identical to the legitimate one, stealing their credentials.

Solution and Prevention

Problem Analysis

  • The application redirects users based on a user-controlled input (redirect_url) without validation, allowing redirection to untrusted websites.

Fixing the Vulnerability

  1. Validate Redirect URLs
    • Ensure the redirect URL is within the same domain: $allowed_domains = ['localhost', 'example.com']; $parsed_url = parse_url($_GET['redirect_url']); if (in_array($parsed_url['host'], $allowed_domains)) { header("Location: {$_GET['redirect_url']}"); } else { header("Location: dashboard.php"); }
  2. Use Relative URLs Only
    • Restrict redirects to internal pages: if (strpos($_GET['redirect_url'], '/') === 0) { header("Location: {$_GET['redirect_url']}"); } else { header("Location: dashboard.php"); }
  3. Implement a Redirect Allow-List
    • Define allowed redirect paths: $allowed_pages = ['dashboard.php', 'profile.php']; if (in_array($_GET['redirect_url'], $allowed_pages)) { header("Location: {$_GET['redirect_url']}"); } else { header("Location: dashboard.php"); }
  4. Display Redirect Notices
    • Inform users when they are redirected: echo "You are being redirected to a different page. Click here if not redirected automatically.";

Testing After Fix

  1. Attempt to redirect to http://attacker.com.
  2. Expected Result:
    • The server rejects the redirect and redirects to a safe page.
  3. Try relative URLs like /dashboard.php.
  4. Expected Result:
    • The redirect works correctly for allowed internal pages.

Conclusion

In this lab, you exploited an Insecure Redirect and Forward vulnerability to redirect users to malicious websites. You also learned how to mitigate this vulnerability by validating redirect URLs, using allow-lists, and enforcing secure redirect mechanisms.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *