[Owasp-leaders] A query regarding Unvalidated redirect

Ankush Mohanty ankush.mohanty at owasp.org
Thu Jan 4 13:26:28 UTC 2018


No, it doesn't.

Actually my colleague is just tampering the 302 Found’s Location parameter
to(google.com), already shared the screenshot. And he is showing me the
OWASP top 10 2013 A10
https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards


   1. Also, spider the site to see if it generates any redirects (HTTP
   response codes 300-307, typically 302). Look at the parameters supplied
   prior to the redirect to see if they appear to be a target URL or a piece
   of such a URL. If so, change the URL target and observe whether the site
   redirects to the new target.”


So according to this is it a valid(severity May be low or medium on
situation) or simply Invalid.

Thanks
Ankush

On Thu, 4 Jan 2018 at 2:24 PM, Erlend Oftedal <erlend at oftedal.no> wrote:

> So the location parameter is a URL parameter or a body parameter?
> Like:
> https://example.com/something?location=http://evil.com
> and then you get a 302 with the Location header set to http://evil.com ?
> If so, yes, this is an open redirect and could be use for phishing etc.
>
> Erlend
>
>
> On 4 January 2018 at 03:58, Ankush Mohanty <ankush.mohanty at owasp.org>
> wrote:
>
>> Hi Michael,
>>
>> Thank you for your info.
>>
>> I know the scenario you given and completely agree with you.
>> He is changing the whole location parameter to external domain and it is
>> going directly to that domain with Referer parameter contains our
>> application URL . According to me and some of my friends this should not
>> happen(may be severity of this vulnerability is low or medium according to
>> situations).
>>
>> Please correct me if I am wrong.
>>
>>
>> Thanks
>> Ankush
>>
>> On Thu, 4 Jan 2018 at 2:30 AM, Michael V. Scovetta <
>> michael.scovetta at gmail.com> wrote:
>>
>>> Hi Ankush,
>>>   How did your colleague replace the location parameter? Usually, this
>>> is vulnerable if there's something like
>>> https://blah.com?redirect=https://evil.com and then the server takes
>>> the https://evil.com and sticks it into the location parameter. The
>>> attack is that I just send you an email with a link to
>>> https://your-trusted-bank.com?gobblygook, which of course you trust
>>> because it's your bank website, and then you get prompted for creds at
>>> https://y0ur-trusted-bank.com which you don't notice is different,
>>> because phishing... etc.
>>>
>>> Mike
>>>
>>> On Wed, Jan 3, 2018 at 9:22 AM, Ankush Mohanty <ankush.mohanty at owasp.org
>>> > wrote:
>>>
>>>> Dear leaders,
>>>>
>>>> One of my colleague got an issue on a *302 found* response. He just
>>>> replaced the *Location *parameter with an external  domain(
>>>> www.google.com) and redirected to the external domain without
>>>> hesitation. According to OWASP Top 10 2012 A10 (Am I vulnerable... point no
>>>> 2) it should be a vulnerability.
>>>>
>>>>
>>>> Attaching the screenshot of the 302 response. Please let me know
>>>> wheather I am correct or not.
>>>>
>>>>
>>>> Thanks & Regards
>>>> Ankush Mohanty
>>>> --
>>>> Thanks and Regards
>>>> Ankush Mohanty
>>>> Cuttack Chapter Lead
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>>
>>> --
>>> -[ Michael Scovetta ]-
>>>
>> --
>> Thanks and Regards
>> Ankush Mohanty
>> Cuttack Chapter Lead
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
> --
Thanks and Regards
Ankush Mohanty
Cuttack Chapter Lead
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20180104/7189b241/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IMG_2132.jpg
Type: image/jpeg
Size: 1692428 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20180104/7189b241/attachment-0001.jpg>


More information about the OWASP-Leaders mailing list