[Owasp-leaders] A query regarding Unvalidated redirect

Ankush Mohanty ankush.mohanty at owasp.org
Thu Jan 4 13:45:40 UTC 2018


Thank you for your quick response.

Got your point and I am also acquainted with your scenario. But here the
explanation in the OWASP site is


   1. Also, spider the site to see if it generates any redirects (HTTP
   response codes 300-307, typically 302). Look at the parameters supplied
   prior to the redirect to see if they appear to be a target URL *or a
   piece of such a URL. If so, change the URL target and observe whether the
   site redirects to the new target.*


Please clarify the underlined statement.


Thanks
Ankush

On Thu, 4 Jan 2018 at 6:59 PM, Erlend Oftedal <erlend at oftedal.no> wrote:

> I don't understand. How is he tampering with the location parameter? Is it
> the Location header or a parameter? You only shared the 302 response, not
> the request leading to the response. For this to be valid, you need to
> tamper with the request (not the response), which then affects the response.
>
> Erlend
>
> On 4 January 2018 at 14:26, Ankush Mohanty <ankush.mohanty at owasp.org>
> wrote:
>
>> No, it doesn't.
>>
>> Actually my colleague is just tampering the 302 Found’s Location
>> parameter to(google.com), already shared the screenshot. And he is
>> showing me the OWASP top 10 2013 A10
>> https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards
>>
>>
>>    1. Also, spider the site to see if it generates any redirects (HTTP
>>    response codes 300-307, typically 302). Look at the parameters supplied
>>    prior to the redirect to see if they appear to be a target URL or a piece
>>    of such a URL. If so, change the URL target and observe whether the site
>>    redirects to the new target.”
>>
>>
>> So according to this is it a valid(severity May be low or medium on
>> situation) or simply Invalid.
>>
>> Thanks
>> Ankush
>>
>> On Thu, 4 Jan 2018 at 2:24 PM, Erlend Oftedal <erlend at oftedal.no> wrote:
>>
>>> So the location parameter is a URL parameter or a body parameter?
>>> Like:
>>> https://example.com/something?location=http://evil.com
>>> and then you get a 302 with the Location header set to http://evil.com ?
>>> If so, yes, this is an open redirect and could be use for phishing etc.
>>>
>>> Erlend
>>>
>>>
>>> On 4 January 2018 at 03:58, Ankush Mohanty <ankush.mohanty at owasp.org>
>>> wrote:
>>>
>>>> Hi Michael,
>>>>
>>>> Thank you for your info.
>>>>
>>>> I know the scenario you given and completely agree with you.
>>>> He is changing the whole location parameter to external domain and it
>>>> is going directly to that domain with Referer parameter contains our
>>>> application URL . According to me and some of my friends this should not
>>>> happen(may be severity of this vulnerability is low or medium according to
>>>> situations).
>>>>
>>>> Please correct me if I am wrong.
>>>>
>>>>
>>>> Thanks
>>>> Ankush
>>>>
>>>> On Thu, 4 Jan 2018 at 2:30 AM, Michael V. Scovetta <
>>>> michael.scovetta at gmail.com> wrote:
>>>>
>>>>> Hi Ankush,
>>>>>   How did your colleague replace the location parameter? Usually, this
>>>>> is vulnerable if there's something like
>>>>> https://blah.com?redirect=https://evil.com and then the server takes
>>>>> the https://evil.com and sticks it into the location parameter. The
>>>>> attack is that I just send you an email with a link to
>>>>> https://your-trusted-bank.com?gobblygook, which of course you trust
>>>>> because it's your bank website, and then you get prompted for creds at
>>>>> https://y0ur-trusted-bank.com which you don't notice is different,
>>>>> because phishing... etc.
>>>>>
>>>>> Mike
>>>>>
>>>>> On Wed, Jan 3, 2018 at 9:22 AM, Ankush Mohanty <
>>>>> ankush.mohanty at owasp.org> wrote:
>>>>>
>>>>>> Dear leaders,
>>>>>>
>>>>>> One of my colleague got an issue on a *302 found* response. He just
>>>>>> replaced the *Location *parameter with an external  domain(
>>>>>> www.google.com) and redirected to the external domain without
>>>>>> hesitation. According to OWASP Top 10 2012 A10 (Am I vulnerable... point no
>>>>>> 2) it should be a vulnerability.
>>>>>>
>>>>>>
>>>>>> Attaching the screenshot of the 302 response. Please let me know
>>>>>> wheather I am correct or not.
>>>>>>
>>>>>>
>>>>>> Thanks & Regards
>>>>>> Ankush Mohanty
>>>>>> --
>>>>>> Thanks and Regards
>>>>>> Ankush Mohanty
>>>>>> Cuttack Chapter Lead
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> -[ Michael Scovetta ]-
>>>>>
>>>> --
>>>> Thanks and Regards
>>>> Ankush Mohanty
>>>> Cuttack Chapter Lead
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>> --
>> Thanks and Regards
>> Ankush Mohanty
>> Cuttack Chapter Lead
>>
>
> --
Thanks and Regards
Ankush Mohanty
Cuttack Chapter Lead
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20180104/2d20addd/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IMG_2132.jpg
Type: image/jpeg
Size: 1692428 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20180104/2d20addd/attachment-0001.jpg>


More information about the OWASP-Leaders mailing list