URL Redirection to Untrusted Site ('Open Redirect') |
Weakness ID: 601 (Weakness Variant) | Status: Draft |
Description Summary
Extended Description
An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.
Scope | Effect |
---|---|
Integrity | The user may be redirected to an untrusted page that contains malware which may then compromise the user's machine. This will expose the user to extensive risk and the user's interaction with the web server may also be compromised if the malware conducts keylogging or other attacks that steal credentials, personally identifiable information (PII), or other important data. |
Integrity Confidentiality | The user may be subjected to phishing attacks by being redirected to an untrusted page. The phishing attack may point to an attacker controlled web page that appears to be a trusted web site. The phishers may then steal the users credentials and then use these credentials to access the legitimate web site. |
Manual Static Analysis Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints. Effectiveness: High |
Automated Dynamic Analysis Automated black box tools that supply URLs to every input may be able to spot Location header modifications, but test case coverage is a factor, and custom redirects may not be detected. |
Automated Static Analysis Automated static analysis tools may not be able to determine whether input influences the beginning of a URL, which is important for reducing false positives. |
Other Whether this issue poses a vulnerability will be subject to the intended behavior of the application. For example, a search engine might intentionally provide redirects to arbitrary URLs. |
Example 1
The following code obtains a URL from the query string and then redirects the user to that URL.
The problem with the above code is that an attacker could use this page as part of a phishing scam by redirecting users to a malicious site. For example, assume the above code is in the file example.php. An attacker could supply a user with the following link:
The user sees the link pointing to the original trusted site (example.com) and does not realize the redirection that could take place.
Reference | Description |
---|---|
CVE-2005-4206 | URL parameter loads the URL into a frame and causes it to appear to be part of a valid page. |
CVE-2008-2951 | An open redirect vulnerability in the search script in the software allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL as a parameter to the proper function. |
CVE-2008-2052 | Open redirect vulnerability in the software allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the proper parameter. |
Phase: Implementation Strategy: Input Validation Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as "red" or "blue." Use a whitelist of approved URLs or domains to be used for redirection. |
Phase: Architecture and Design Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving your site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page. |
Phase: Architecture and Design When the set of URLs to be redirected is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual URLs, and reject all other inputs. For example, ID 1 could map to "/login.asp" and ID 2 could map to "http://www.example.com/". Features such as the ESAPI AccessReferenceMap provide this capability. |
Phases: Architecture and Design; Implementation Strategy: Identify and Reduce Attack Surface Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls. Many open redirect problems occur because the programmer assumed that certain inputs could not be modified, such as cookies and hidden form fields. |
Phishing is a general term for deceptive attempts to coerce private information from users that will be used for identity theft. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Class | 20 | Improper Input Validation | Development Concepts (primary)699 |
ChildOf | Category | 442 | Web Problems | Development Concepts699 |
ChildOf | Weakness Class | 610 | Externally Controlled Reference to a Resource in Another Sphere | Research Concepts (primary)1000 |
ChildOf | Category | 722 | OWASP Top Ten 2004 Category A1 - Unvalidated Input | Weaknesses in OWASP Top Ten (2004) (primary)711 |
ChildOf | Category | 801 | 2010 Top 25 - Insecure Interaction Between Components | Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors (primary)800 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
Anonymous Tool Vendor (under NDA) | |||
WASC | 38 | URl Redirector Abuse |
CAPEC-ID | Attack Pattern Name | (CAPEC Version: 1.4) |
---|---|---|
194 | Fake the Source of Data |
Craig A. Shue, Andrew J. Kalafut and Minaxi Gupta. "Exploitable Redirects on the Web: Identification, Prevalence, and Defense". <http://www.cs.indiana.edu/cgi-pub/cshue/research/woot08.pdf>. |
Russ McRee. "Open redirect vulnerabilities: definition and prevention". Page 43. Issue 17. (IN)SECURE. July 2008. <http://www.net-security.org/dl/insecure/INSECURE-Mag-17.pdf>. |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
Anonymous Tool Vendor (under NDA) | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Potential Mitigations, Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Alternate Terms, Background Details, Description, Detection Factors, Likelihood of Exploit, Name, Relationships, Observed Example, Taxonomy Mappings | ||||
2008-10-03 | CWE Content Team | MITRE | Internal | |
updated References and Observed Examples | ||||
2008-10-14 | CWE Content Team | MITRE | Internal | |
updated Alternate Terms, Observed Examples, References | ||||
2009-03-10 | CWE Content Team | MITRE | Internal | |
updated Relationships | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Name | ||||
2009-12-28 | CWE Content Team | MITRE | Internal | |
updated Demonstrative Examples, Detection Factors, Likelihood of Exploit, Potential Mitigations | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2008-04-11 | Unsafe URL Redirection | |||
2008-09-09 | URL Redirection to Untrusted Site | |||
2009-05-27 | URL Redirection to Untrusted Site (aka 'Open Redirect') | |||