Objective
Learn how to exploit Open Redirection Vulnerabilities to redirect users to malicious websites and understand how to prevent these vulnerabilities by validating and controlling redirection destinations.
Scenario
You are testing a web application that redirects users to different pages based on a URL parameter. Due to the lack of proper validation, attackers can manipulate the redirect URL to trick users into visiting malicious websites, making the application a vector for phishing attacks.
Lab Setup
Prerequisites:
- Basic knowledge of PHP and URL handling.
- XAMPP/LAMP/WAMP stack installed (or any web server with PHP support).
- A code editor (e.g., VSCode, Sublime Text).
Step 1: Create the Vulnerable Web Application
PHP Script for URL Redirection
Create a file redirect.php:
<?php
if (isset($_GET['url'])) {
$url = $_GET['url'];
header("Location: $url");
exit();
} else {
echo "<h2>No URL specified for redirection.</h2>";
}
?>
<h2>Redirect to Another Page</h2>
<form method="GET" action="">
URL: <input type="text" name="url" required><br>
<button type="submit">Redirect</button>
</form>Running the Application
- Start the Apache server.
- Place
redirect.phpin the web server’s root directory (htdocsfor XAMPP). - Open
http://localhost/redirect.phpin your browser.
Exploitation Steps
Step 1: Redirecting to a Malicious Site
Enter the following URL directly into the browser:
http://localhost/redirect.php?url=http://malicious-site.comExpected Result:
- The application redirects the user to
http://malicious-site.comwithout validation.
Step 2: Using the Vulnerability for Phishing
Craft a phishing link that appears legitimate:
http://localhost/redirect.php?url=http://phishingsite.comSend this link via email or a social media message.
Expected Result:
- Victims clicking the link are redirected to the phishing site, believing it is legitimate.
Solution and Prevention
Problem Analysis
- The application blindly redirects to any URL without validation.
Fixing the Vulnerability
Use URL Whitelisting
Allow only trusted domains for redirection:
<?php
$allowed_domains = ['example.com', 'localhost'];
if (isset($_GET['url'])) {
$url = $_GET['url'];
$parsed_url = parse_url($url);
if (in_array($parsed_url['host'], $allowed_domains)) {
header("Location: $url");
} else {
echo "<h2>Invalid redirect URL.</h2>";
}
}
?>Use Relative URLs for Internal Redirection
Redirect only to internal pages:
<?php
$allowed_pages = ['home', 'profile', 'settings'];
if (isset($_GET['page']) && in_array($_GET['page'], $allowed_pages)) {
header("Location: /" . $_GET['page'] . ".php");
} else {
echo "<h2>Invalid page.</h2>";
}
?>Prompt User Before Redirecting
Add an intermediate page to confirm the redirect:
<?php
if (isset($_GET['url'])) {
$url = htmlspecialchars($_GET['url']);
echo "<h2>You are being redirected to: $url</h2>";
echo "<a href='$url'>Continue</a> | <a href='/'>Cancel</a>";
}
?>Validate URL Format and Schemes
Block dangerous schemes:
$parsed_url = parse_url($url);
if ($parsed_url['scheme'] !== 'http' && $parsed_url['scheme'] !== 'https') {
die("Invalid URL scheme.");
}Testing After Fix
Attempt to redirect to a malicious site:
http://localhost/redirect.php?url=http://malicious-site.comExpected Result:
The server blocks the redirect and displays an error.
Attempt to redirect to a valid internal page:
http://localhost/redirect.php?url=http://example.com/homeExpected Result:
The redirect is successful if the URL is on the whitelist.
Conclusion
In this lab, you exploited an Open Redirection Vulnerability to redirect users to malicious websites. You also learned how to mitigate this vulnerability by implementing URL whitelisting, using relative URLs for internal redirection, and prompting users before redirection.
0 Comments