When a web application accepts untrusted input, the web application may redirect the request to a URL included inside the untrusted input. An attacker can successfully conduct a phishing scheme and steal user credentials by changing untrusted URL input to a malicious site.
Because the server name in the changed URL is the same as the original site’s, phishing efforts may look more trustworthy. Unvalidated redirect and forward attacks may also be used to maliciously design a URL that passes the application’s access control check and then redirect the attacker to privileged functionality that they would not ordinarily be allowed to access.
Example of a Dangerous URL Redirect:
The following Java code reads the URL from the URL argument (GET or POST) and redirects to it:
response.sendRedirect(request.getParameter("url"));
The PHP code below extracts a URL from the query string (through the url argument) and then redirects the user to that URL. Furthermore, the PHP code that follows this header() method will continue to run, so if the user configures their browser to ignore the redirect, they may be able to view the rest of the page.
$redirect_url = $_GET['url'];
header("Location: " . $redirect_url);
A similar example of C# .NET Vulnerable Code:
string url = request.QueryString["url"];
Response.Redirect(url);
And in Rails:
redirect_to params[:url]
If no validation or extra method restrictions are used to validate the URL’s certainty, the above code is vulnerable to an attack. By referring consumers to a rogue site, this vulnerability might be leveraged as part of a phishing scheme.
If no validation is used, a malicious user may build a hyperlink that would take your users to an unvalidated harmful website, such as:
http://example.com/example.php?url=http://malicious.example.com
The user sees the link going to the original trusted site (example.com) and is unaware of the redirection that may occur.
Validating and sanitizing user input to establish whether a URL is secure is a difficult operation. The Server Side Request Forgery Prevention Cheat Sheet has detailed instructions on how to implement URL validation.
ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.