[Owasp-leaders] A query regarding Unvalidated redirect

Ankush Mohanty ankush.mohanty at owasp.org
Thu Jan 4 02:58:23 UTC 2018


Hi Michael,

Thank you for your info.

I know the scenario you given and completely agree with you.
He is changing the whole location parameter to external domain and it is
going directly to that domain with Referer parameter contains our
application URL . According to me and some of my friends this should not
happen(may be severity of this vulnerability is low or medium according to
situations).

Please correct me if I am wrong.


Thanks
Ankush

On Thu, 4 Jan 2018 at 2:30 AM, Michael V. Scovetta <
michael.scovetta at gmail.com> wrote:

> Hi Ankush,
>   How did your colleague replace the location parameter? Usually, this is
> vulnerable if there's something like
> https://blah.com?redirect=https://evil.com and then the server takes the
> https://evil.com and sticks it into the location parameter. The attack is
> that I just send you an email with a link to
> https://your-trusted-bank.com?gobblygook, which of course you trust
> because it's your bank website, and then you get prompted for creds at
> https://y0ur-trusted-bank.com which you don't notice is different,
> because phishing... etc.
>
> Mike
>
> On Wed, Jan 3, 2018 at 9:22 AM, Ankush Mohanty <ankush.mohanty at owasp.org>
> wrote:
>
>> Dear leaders,
>>
>> One of my colleague got an issue on a *302 found* response. He just
>> replaced the *Location *parameter with an external  domain(www.google.com)
>> and redirected to the external domain without hesitation. According to
>> OWASP Top 10 2012 A10 (Am I vulnerable... point no 2) it should be a
>> vulnerability.
>>
>>
>> Attaching the screenshot of the 302 response. Please let me know wheather
>> I am correct or not.
>>
>>
>> Thanks & Regards
>> Ankush Mohanty
>> --
>> Thanks and Regards
>> Ankush Mohanty
>> Cuttack Chapter Lead
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> --
> -[ Michael Scovetta ]-
>
-- 
Thanks and Regards
Ankush Mohanty
Cuttack Chapter Lead
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20180104/181fb204/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IMG_2132.jpg
Type: image/jpeg
Size: 1692428 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20180104/181fb204/attachment-0001.jpg>


More information about the OWASP-Leaders mailing list