[Owasp-leaders] A query regarding Unvalidated redirect

Erlend Oftedal erlend at oftedal.no
Thu Jan 4 13:29:08 UTC 2018


I don't understand. How is he tampering with the location parameter? Is it
the Location header or a parameter? You only shared the 302 response, not
the request leading to the response. For this to be valid, you need to
tamper with the request (not the response), which then affects the response.

Erlend

On 4 January 2018 at 14:26, Ankush Mohanty <ankush.mohanty at owasp.org> wrote:

> No, it doesn't.
>
> Actually my colleague is just tampering the 302 Found’s Location parameter
> to(google.com), already shared the screenshot. And he is showing me the
> OWASP top 10 2013 A10 https://www.owasp.org/index.php/Top_10_2013-A10-
> Unvalidated_Redirects_and_Forwards
>
>
>    1. Also, spider the site to see if it generates any redirects (HTTP
>    response codes 300-307, typically 302). Look at the parameters supplied
>    prior to the redirect to see if they appear to be a target URL or a piece
>    of such a URL. If so, change the URL target and observe whether the site
>    redirects to the new target.”
>
>
> So according to this is it a valid(severity May be low or medium on
> situation) or simply Invalid.
>
> Thanks
> Ankush
>
> On Thu, 4 Jan 2018 at 2:24 PM, Erlend Oftedal <erlend at oftedal.no> wrote:
>
>> So the location parameter is a URL parameter or a body parameter?
>> Like:
>> https://example.com/something?location=http://evil.com
>> and then you get a 302 with the Location header set to http://evil.com ?
>> If so, yes, this is an open redirect and could be use for phishing etc.
>>
>> Erlend
>>
>>
>> On 4 January 2018 at 03:58, Ankush Mohanty <ankush.mohanty at owasp.org>
>> wrote:
>>
>>> Hi Michael,
>>>
>>> Thank you for your info.
>>>
>>> I know the scenario you given and completely agree with you.
>>> He is changing the whole location parameter to external domain and it is
>>> going directly to that domain with Referer parameter contains our
>>> application URL . According to me and some of my friends this should not
>>> happen(may be severity of this vulnerability is low or medium according to
>>> situations).
>>>
>>> Please correct me if I am wrong.
>>>
>>>
>>> Thanks
>>> Ankush
>>>
>>> On Thu, 4 Jan 2018 at 2:30 AM, Michael V. Scovetta <
>>> michael.scovetta at gmail.com> wrote:
>>>
>>>> Hi Ankush,
>>>>   How did your colleague replace the location parameter? Usually, this
>>>> is vulnerable if there's something like https://blah.com?redirect=
>>>> https://evil.com and then the server takes the https://evil.com and
>>>> sticks it into the location parameter. The attack is that I just send you
>>>> an email with a link to https://your-trusted-bank.com?gobblygook,
>>>> which of course you trust because it's your bank website, and then you get
>>>> prompted for creds at https://y0ur-trusted-bank.com which you don't
>>>> notice is different, because phishing... etc.
>>>>
>>>> Mike
>>>>
>>>> On Wed, Jan 3, 2018 at 9:22 AM, Ankush Mohanty <
>>>> ankush.mohanty at owasp.org> wrote:
>>>>
>>>>> Dear leaders,
>>>>>
>>>>> One of my colleague got an issue on a *302 found* response. He just
>>>>> replaced the *Location *parameter with an external  domain(
>>>>> www.google.com) and redirected to the external domain without
>>>>> hesitation. According to OWASP Top 10 2012 A10 (Am I vulnerable... point no
>>>>> 2) it should be a vulnerability.
>>>>>
>>>>>
>>>>> Attaching the screenshot of the 302 response. Please let me know
>>>>> wheather I am correct or not.
>>>>>
>>>>>
>>>>> Thanks & Regards
>>>>> Ankush Mohanty
>>>>> --
>>>>> Thanks and Regards
>>>>> Ankush Mohanty
>>>>> Cuttack Chapter Lead
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> -[ Michael Scovetta ]-
>>>>
>>> --
>>> Thanks and Regards
>>> Ankush Mohanty
>>> Cuttack Chapter Lead
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>> --
> Thanks and Regards
> Ankush Mohanty
> Cuttack Chapter Lead
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20180104/055024fe/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IMG_2132.jpg
Type: image/jpeg
Size: 1692428 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20180104/055024fe/attachment-0001.jpg>


More information about the OWASP-Leaders mailing list