[Owasp-leaders] A query regarding Unvalidated redirect

Erlend Oftedal erlend at oftedal.no
Thu Jan 4 08:54:10 UTC 2018


So the location parameter is a URL parameter or a body parameter?
Like:
https://example.com/something?location=http://evil.com
and then you get a 302 with the Location header set to http://evil.com ?
If so, yes, this is an open redirect and could be use for phishing etc.

Erlend


On 4 January 2018 at 03:58, Ankush Mohanty <ankush.mohanty at owasp.org> wrote:

> Hi Michael,
>
> Thank you for your info.
>
> I know the scenario you given and completely agree with you.
> He is changing the whole location parameter to external domain and it is
> going directly to that domain with Referer parameter contains our
> application URL . According to me and some of my friends this should not
> happen(may be severity of this vulnerability is low or medium according to
> situations).
>
> Please correct me if I am wrong.
>
>
> Thanks
> Ankush
>
> On Thu, 4 Jan 2018 at 2:30 AM, Michael V. Scovetta <
> michael.scovetta at gmail.com> wrote:
>
>> Hi Ankush,
>>   How did your colleague replace the location parameter? Usually, this is
>> vulnerable if there's something like https://blah.com?redirect=
>> https://evil.com and then the server takes the https://evil.com and
>> sticks it into the location parameter. The attack is that I just send you
>> an email with a link to https://your-trusted-bank.com?gobblygook, which
>> of course you trust because it's your bank website, and then you get
>> prompted for creds at https://y0ur-trusted-bank.com which you don't
>> notice is different, because phishing... etc.
>>
>> Mike
>>
>> On Wed, Jan 3, 2018 at 9:22 AM, Ankush Mohanty <ankush.mohanty at owasp.org>
>> wrote:
>>
>>> Dear leaders,
>>>
>>> One of my colleague got an issue on a *302 found* response. He just
>>> replaced the *Location *parameter with an external  domain(
>>> www.google.com) and redirected to the external domain without
>>> hesitation. According to OWASP Top 10 2012 A10 (Am I vulnerable... point no
>>> 2) it should be a vulnerability.
>>>
>>>
>>> Attaching the screenshot of the 302 response. Please let me know
>>> wheather I am correct or not.
>>>
>>>
>>> Thanks & Regards
>>> Ankush Mohanty
>>> --
>>> Thanks and Regards
>>> Ankush Mohanty
>>> Cuttack Chapter Lead
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>>
>> --
>> -[ Michael Scovetta ]-
>>
> --
> Thanks and Regards
> Ankush Mohanty
> Cuttack Chapter Lead
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20180104/e5d5c3c6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IMG_2132.jpg
Type: image/jpeg
Size: 1692428 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20180104/e5d5c3c6/attachment-0001.jpg>


More information about the OWASP-Leaders mailing list