[Owasp-leaders] A query regarding Unvalidated redirect

Ankush Mohanty ankush.mohanty at owasp.org
Thu Jan 4 16:17:37 UTC 2018


Thank you all for the breef clarification on the statement.

On Thu, 4 Jan 2018 at 8:26 PM, Kevin W. Wall <kevin.w.wall at gmail.com> wrote:

> If you are merely directly tampering with the Location HTTP response
> header on the 302 response using some MITM proxy like ZAP or Burp then
> there is no issue here; the browser is just doing what it is supposed to be
> doing. However if you are changing this by changing a request parameter or
> injecting an additional Location header using something like HTTP Response
> Splitting, etc., then as others described, you have an open redirect.
>
> -kevin
> --
> Blog: http://off-the-wall-security.blogspot.com/  |  Twitter:  @KevinWWall
> NSA: All your crypto bit are belong to us.
>
> On Jan 4, 2018 8:57 AM, "Ankush Mohanty" <ankush.mohanty at owasp.org> wrote:
>
> Thank you for your quick response.
>
> Got your point and I am also acquainted with your scenario. But here the
> explanation in the OWASP site is
>
>
>    1. Also, spider the site to see if it generates any redirects (HTTP
>    response codes 300-307, typically 302). Look at the parameters supplied
>    prior to the redirect to see if they appear to be a target URL *or a
>    piece of such a URL. If so, change the URL target and observe whether the
>    site redirects to the new target.*
>
>
> Please clarify the underlined statement.
>
>
> Thanks
> Ankush
>
> On Thu, 4 Jan 2018 at 6:59 PM, Erlend Oftedal <erlend at oftedal.no> wrote:
>
>> I don't understand. How is he tampering with the location parameter? Is
>> it the Location header or a parameter? You only shared the 302 response,
>> not the request leading to the response. For this to be valid, you need to
>> tamper with the request (not the response), which then affects the response.
>>
>> Erlend
>>
>> On 4 January 2018 at 14:26, Ankush Mohanty <ankush.mohanty at owasp.org>
>> wrote:
>>
>>> No, it doesn't.
>>>
>>> Actually my colleague is just tampering the 302 Found’s Location
>>> parameter to(google.com), already shared the screenshot. And he is
>>> showing me the OWASP top 10 2013 A10
>>> https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards
>>>
>>>
>>>    1. Also, spider the site to see if it generates any redirects (HTTP
>>>    response codes 300-307, typically 302). Look at the parameters supplied
>>>    prior to the redirect to see if they appear to be a target URL or a piece
>>>    of such a URL. If so, change the URL target and observe whether the site
>>>    redirects to the new target.”
>>>
>>>
>>> So according to this is it a valid(severity May be low or medium on
>>> situation) or simply Invalid.
>>>
>>> Thanks
>>> Ankush
>>>
>>> On Thu, 4 Jan 2018 at 2:24 PM, Erlend Oftedal <erlend at oftedal.no> wrote:
>>>
>>>> So the location parameter is a URL parameter or a body parameter?
>>>> Like:
>>>> https://example.com/something?location=http://evil.com
>>>> and then you get a 302 with the Location header set to http://evil.com
>>>> ?
>>>> If so, yes, this is an open redirect and could be use for phishing etc.
>>>>
>>>> Erlend
>>>>
>>>>
>>>> On 4 January 2018 at 03:58, Ankush Mohanty <ankush.mohanty at owasp.org>
>>>> wrote:
>>>>
>>>>> Hi Michael,
>>>>>
>>>>> Thank you for your info.
>>>>>
>>>>> I know the scenario you given and completely agree with you.
>>>>> He is changing the whole location parameter to external domain and it
>>>>> is going directly to that domain with Referer parameter contains our
>>>>> application URL . According to me and some of my friends this should not
>>>>> happen(may be severity of this vulnerability is low or medium according to
>>>>> situations).
>>>>>
>>>>> Please correct me if I am wrong.
>>>>>
>>>>>
>>>>> Thanks
>>>>> Ankush
>>>>>
>>>>> On Thu, 4 Jan 2018 at 2:30 AM, Michael V. Scovetta <
>>>>> michael.scovetta at gmail.com> wrote:
>>>>>
>>>>>> Hi Ankush,
>>>>>>   How did your colleague replace the location parameter? Usually,
>>>>>> this is vulnerable if there's something like
>>>>>> https://blah.com?redirect=https://evil.com and then the server takes
>>>>>> the https://evil.com and sticks it into the location parameter. The
>>>>>> attack is that I just send you an email with a link to
>>>>>> https://your-trusted-bank.com?gobblygook, which of course you trust
>>>>>> because it's your bank website, and then you get prompted for creds at
>>>>>> https://y0ur-trusted-bank.com which you don't notice is different,
>>>>>> because phishing... etc.
>>>>>>
>>>>>> Mike
>>>>>>
>>>>>> On Wed, Jan 3, 2018 at 9:22 AM, Ankush Mohanty <
>>>>>> ankush.mohanty at owasp.org> wrote:
>>>>>>
>>>>>>> Dear leaders,
>>>>>>>
>>>>>>> One of my colleague got an issue on a *302 found* response. He just
>>>>>>> replaced the *Location *parameter with an external  domain(
>>>>>>> www.google.com) and redirected to the external domain without
>>>>>>> hesitation. According to OWASP Top 10 2012 A10 (Am I vulnerable... point no
>>>>>>> 2) it should be a vulnerability.
>>>>>>>
>>>>>>>
>>>>>>> Attaching the screenshot of the 302 response. Please let me know
>>>>>>> wheather I am correct or not.
>>>>>>>
>>>>>>>
>>>>>>> Thanks & Regards
>>>>>>> Ankush Mohanty
>>>>>>> --
>>>>>>> Thanks and Regards
>>>>>>> Ankush Mohanty
>>>>>>> Cuttack Chapter Lead
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> -[ Michael Scovetta ]-
>>>>>>
>>>>> --
>>>>> Thanks and Regards
>>>>> Ankush Mohanty
>>>>> Cuttack Chapter Lead
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>> --
>>> Thanks and Regards
>>> Ankush Mohanty
>>> Cuttack Chapter Lead
>>>
>>
>> --
> Thanks and Regards
> Ankush Mohanty
> Cuttack Chapter Lead
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> --
Thanks and Regards
Ankush Mohanty
Cuttack Chapter Lead
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20180104/75a09d55/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IMG_2132.jpg
Type: image/jpeg
Size: 1692428 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20180104/75a09d55/attachment-0001.jpg>


More information about the OWASP-Leaders mailing list