Objective
Learn how to exploit Insecure Redirects and Forwards to trick users into visiting malicious websites or bypass authentication mechanisms. Understand how to prevent these vulnerabilities by validating redirect URLs, using allow-lists, and enforcing secure redirect mechanisms.
Scenario
You are testing a web application that redirects users to a specified URL after login using a query parameter. Due to insufficient validation, an attacker can manipulate the redirect URL to send users to a malicious website.
Lab Setup
Prerequisites:
- Basic knowledge of PHP and web servers.
- XAMPP/LAMP/WAMP stack installed (or any web server with PHP support).
- Tools like Burp Suite or browser developer tools for intercepting and modifying requests.
Step 1: Create the Vulnerable Web Application
- PHP Script for Vulnerable Redirects
- Create a file
login.php:<?php if (isset($_POST['login'])) { $username = $_POST['username']; $password = $_POST['password']; // Simple authentication check if ($username === 'admin' && $password === 'password') { $redirect_url = $_GET['redirect_url'] ?? 'dashboard.php'; header("Location: $redirect_url"); exit; } else { echo "<h2>Invalid Credentials</h2>"; } } ?> <h2>Login</h2> <form method="POST" action=""> Username: <input type="text" name="username" required><br> Password: <input type="password" name="password" required><br> <button type="submit" name="login">Login</button> </form>
- Create a file
- Dashboard Page
- Create a simple file
dashboard.php:<?php echo "<h2>Welcome to the Dashboard!</h2>"; ?>
- Create a simple file
- Running the Application
- Start the Apache server.
- Place both
login.phpanddashboard.phpin the web server’s root directory (htdocsfor XAMPP). - Open
http://localhost/login.phpin your browser.
Exploitation Steps
Step 1: Crafting a Malicious Redirect
- Craft a URL to exploit the redirect:
http://localhost/login.php?redirect_url=http://attacker.com - Enter valid login credentials (
admin/password). - Expected Result:
- After logging in, the user is redirected to
http://attacker.cominstead ofdashboard.php.
- After logging in, the user is redirected to
Step 2: Phishing Scenario
- The attacker sends a phishing link like:
http://victimsite.com/login.php?redirect_url=http://malicious.com - Expected Result:
- Victims are redirected to a fake website that looks identical to the legitimate one, stealing their credentials.
Solution and Prevention
Problem Analysis
- The application redirects users based on a user-controlled input (
redirect_url) without validation, allowing redirection to untrusted websites.
Fixing the Vulnerability
- Validate Redirect URLs
- Ensure the redirect URL is within the same domain:
$allowed_domains = ['localhost', 'example.com']; $parsed_url = parse_url($_GET['redirect_url']); if (in_array($parsed_url['host'], $allowed_domains)) { header("Location: {$_GET['redirect_url']}"); } else { header("Location: dashboard.php"); }
- Ensure the redirect URL is within the same domain:
- Use Relative URLs Only
- Restrict redirects to internal pages:
if (strpos($_GET['redirect_url'], '/') === 0) { header("Location: {$_GET['redirect_url']}"); } else { header("Location: dashboard.php"); }
- Restrict redirects to internal pages:
- Implement a Redirect Allow-List
- Define allowed redirect paths:
$allowed_pages = ['dashboard.php', 'profile.php']; if (in_array($_GET['redirect_url'], $allowed_pages)) { header("Location: {$_GET['redirect_url']}"); } else { header("Location: dashboard.php"); }
- Define allowed redirect paths:
- Display Redirect Notices
- Inform users when they are redirected:
echo "You are being redirected to a different page. Click here if not redirected automatically.";
- Inform users when they are redirected:
Testing After Fix
- Attempt to redirect to
http://attacker.com. - Expected Result:
- The server rejects the redirect and redirects to a safe page.
- Try relative URLs like
/dashboard.php. - Expected Result:
- The redirect works correctly for allowed internal pages.
Conclusion
In this lab, you exploited an Insecure Redirect and Forward vulnerability to redirect users to malicious websites. You also learned how to mitigate this vulnerability by validating redirect URLs, using allow-lists, and enforcing secure redirect mechanisms.
0 Comments