[Owasp-leaders] A query regarding Unvalidated redirect

Erlend Oftedal erlend at oftedal.no
Thu Jan 4 14:12:07 UTC 2018


   1. Also, spider the site to see if it generates any redirects (HTTP
   response codes 300-307, typically 302). *Look at the parameters supplied
   prior to the redirect* to see if they appear to be a target URL
*or a piece of such a URL. If so, change the URL target and observe whether
   the site redirects to the new target. *


Is says parameters prior to the redirect. (Response) Headers are not
parameters. This is an indirect attack. The attack tricks the victim into
going to a site under his/her control. Thus the attacker needs to set a
parameter in the URL, send it to the victim, and have the victim
redirected. The attack can only influence the request URL parameters, not
the response directly.





On 4 January 2018 at 14:45, Ankush Mohanty <ankush.mohanty at owasp.org> wrote:

> Thank you for your quick response.
>
> Got your point and I am also acquainted with your scenario. But here the
> explanation in the OWASP site is
>
>
>    1. Also, spider the site to see if it generates any redirects (HTTP
>    response codes 300-307, typically 302). Look at the parameters supplied
>    prior to the redirect to see if they appear to be a target URL *or a
>    piece of such a URL. If so, change the URL target and observe whether the
>    site redirects to the new target.*
>
>
> Please clarify the underlined statement.
>
>
> Thanks
> Ankush
>
> On Thu, 4 Jan 2018 at 6:59 PM, Erlend Oftedal <erlend at oftedal.no> wrote:
>
>> I don't understand. How is he tampering with the location parameter? Is
>> it the Location header or a parameter? You only shared the 302 response,
>> not the request leading to the response. For this to be valid, you need to
>> tamper with the request (not the response), which then affects the response.
>>
>> Erlend
>>
>> On 4 January 2018 at 14:26, Ankush Mohanty <ankush.mohanty at owasp.org>
>> wrote:
>>
>>> No, it doesn't.
>>>
>>> Actually my colleague is just tampering the 302 Found’s Location
>>> parameter to(google.com), already shared the screenshot. And he is
>>> showing me the OWASP top 10 2013 A10 https://www.owasp.org/
>>> index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards
>>>
>>>
>>>    1. Also, spider the site to see if it generates any redirects (HTTP
>>>    response codes 300-307, typically 302). Look at the parameters supplied
>>>    prior to the redirect to see if they appear to be a target URL or a piece
>>>    of such a URL. If so, change the URL target and observe whether the site
>>>    redirects to the new target.”
>>>
>>>
>>> So according to this is it a valid(severity May be low or medium on
>>> situation) or simply Invalid.
>>>
>>> Thanks
>>> Ankush
>>>
>>> On Thu, 4 Jan 2018 at 2:24 PM, Erlend Oftedal <erlend at oftedal.no> wrote:
>>>
>>>> So the location parameter is a URL parameter or a body parameter?
>>>> Like:
>>>> https://example.com/something?location=http://evil.com
>>>> and then you get a 302 with the Location header set to http://evil.com
>>>> ?
>>>> If so, yes, this is an open redirect and could be use for phishing etc.
>>>>
>>>> Erlend
>>>>
>>>>
>>>> On 4 January 2018 at 03:58, Ankush Mohanty <ankush.mohanty at owasp.org>
>>>> wrote:
>>>>
>>>>> Hi Michael,
>>>>>
>>>>> Thank you for your info.
>>>>>
>>>>> I know the scenario you given and completely agree with you.
>>>>> He is changing the whole location parameter to external domain and it
>>>>> is going directly to that domain with Referer parameter contains our
>>>>> application URL . According to me and some of my friends this should not
>>>>> happen(may be severity of this vulnerability is low or medium according to
>>>>> situations).
>>>>>
>>>>> Please correct me if I am wrong.
>>>>>
>>>>>
>>>>> Thanks
>>>>> Ankush
>>>>>
>>>>> On Thu, 4 Jan 2018 at 2:30 AM, Michael V. Scovetta <
>>>>> michael.scovetta at gmail.com> wrote:
>>>>>
>>>>>> Hi Ankush,
>>>>>>   How did your colleague replace the location parameter? Usually,
>>>>>> this is vulnerable if there's something like
>>>>>> https://blah.com?redirect=https://evil.com and then the server takes
>>>>>> the https://evil.com and sticks it into the location parameter. The
>>>>>> attack is that I just send you an email with a link to
>>>>>> https://your-trusted-bank.com?gobblygook, which of course you trust
>>>>>> because it's your bank website, and then you get prompted for creds at
>>>>>> https://y0ur-trusted-bank.com which you don't notice is different,
>>>>>> because phishing... etc.
>>>>>>
>>>>>> Mike
>>>>>>
>>>>>> On Wed, Jan 3, 2018 at 9:22 AM, Ankush Mohanty <
>>>>>> ankush.mohanty at owasp.org> wrote:
>>>>>>
>>>>>>> Dear leaders,
>>>>>>>
>>>>>>> One of my colleague got an issue on a *302 found* response. He just
>>>>>>> replaced the *Location *parameter with an external  domain(
>>>>>>> www.google.com) and redirected to the external domain without
>>>>>>> hesitation. According to OWASP Top 10 2012 A10 (Am I vulnerable... point no
>>>>>>> 2) it should be a vulnerability.
>>>>>>>
>>>>>>>
>>>>>>> Attaching the screenshot of the 302 response. Please let me know
>>>>>>> wheather I am correct or not.
>>>>>>>
>>>>>>>
>>>>>>> Thanks & Regards
>>>>>>> Ankush Mohanty
>>>>>>> --
>>>>>>> Thanks and Regards
>>>>>>> Ankush Mohanty
>>>>>>> Cuttack Chapter Lead
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> -[ Michael Scovetta ]-
>>>>>>
>>>>> --
>>>>> Thanks and Regards
>>>>> Ankush Mohanty
>>>>> Cuttack Chapter Lead
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>> --
>>> Thanks and Regards
>>> Ankush Mohanty
>>> Cuttack Chapter Lead
>>>
>>
>> --
> Thanks and Regards
> Ankush Mohanty
> Cuttack Chapter Lead
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20180104/74535d90/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IMG_2132.jpg
Type: image/jpeg
Size: 1692428 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20180104/74535d90/attachment-0001.jpg>


More information about the OWASP-Leaders mailing list