Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application which causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targetting the correct domain with a valid SSL certificate (if SSL is used) lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.
Issue remediation
If possible, applications should avoid incorporating user-controllable data into redirection targets. In many cases, this behaviour can be avoided in two ways:
Remove the redirection function from the application, and replace links to it with direct links to the relevant target URLs.
Maintain a server-side list of all URLs that are permitted for redirection. Instead of passing the target URL as a parameter to the redirector, pass an index into this list.
If it is considered unavoidable for the redirection function to receive user-controllable input and incorporate this into the redirection target, one of the following measures should be used to minimize the risk of redirection attacks:
The application should use relative URLs in all of its redirects, and the redirection function should strictly validate that the URL received is a relative URL.
The application should use URLs relative to the web root for all of its redirects, and the redirection function should validate that the URL received starts with a slash character. It should then prepend http://yourdomainname.com to the URL before issuing the redirect.
The application should use absolute URLs for all of its redirects, and the redirection function should verify that the user-supplied URL begins with http://yourdomainname.com/ before issuing the redirect.
The value of the d request parameter is used to perform an HTTP redirect. The payload http%3a//aee65550908e3704/a%3fhttp%3a//0.gravatar.com/avatar/ad516503a11cd5ca435acc9bb6523536%3fs%3d55 was submitted in the d parameter. This caused a redirection to the following URL:
The value of the d request parameter is used to perform an HTTP redirect. The payload http%3a//ad30a1c7e59c0fce8/a%3fhttp%3a//www.therugged.com/wp-content/themes/therugged/images/default_avatar.jpg%3fs%3d80 was submitted in the d parameter. This caused a redirection to the following URL:
The value of the d request parameter is used to perform an HTTP redirect. The payload http%3a//a7b260a48d7bbb933/a%3fhttp%3a//0.gravatar.com/avatar/ad516503a11cd5ca435acc9bb6523536%3fs%3d55 was submitted in the d parameter. This caused a redirection to the following URL:
The value of the d request parameter is used to perform an HTTP redirect. The payload http%3a//a668951bf79859301/a%3fhttp%3a//0.gravatar.com/avatar/ad516503a11cd5ca435acc9bb6523536%3fs%3d55 was submitted in the d parameter. This caused a redirection to the following URL:
The value of the d request parameter is used to perform an HTTP redirect. The payload http%3a//a24693182fed81785/a%3fhttp%3a//1.gravatar.com/avatar/ad516503a11cd5ca435acc9bb6523536%3fs%3d55 was submitted in the d parameter. This caused a redirection to the following URL:
The value of the r request parameter is used to perform an HTTP redirect. The payload http%3a//a2d2ba86e70534c2c/a%3f was submitted in the r parameter. This caused a redirection to the following URL:
http://a2d2ba86e70534c2c/a?
Request
GET /a/bpix?adv=100&id=10&format=image&r=http%3a//a2d2ba86e70534c2c/a%3f HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Referer: http://fls.doubleclick.net/activityi;src=998766;type=tmobi838;cat=tmobi392;ord=4678929757792.503? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: nab=7; nat=1299284156207; uid2=46f1d48e0-947e-40ca-a51c-175a7c935a2f-gk88cxhl-10~2011030211314518281421320827~c8e51980-fb29-4db0-8467-3b0be5a75683; dly2=3-lhk7h6-P~ivx~1ud3-P~loe~x13-; dmg2=2-1fbsgynlre.pbz%7CS20752%7CWfbsgynlre+grpuabybtvrf+vap.%7CJ178%7CHHF%7CX769%7CIGK%7CR%40541.244%7CLqnyynf%7CDoebnqonaq%7CQ587.232%7CZfbsgynlre+grpuabybtvrf+vap.%7C-; hst2=3-lhk7h6-1~ojtufnzlvzku~bwu~2ohc~0-1~1pac95yo2nr9h~bwv~310i~ax-1~16eefehyvzt4b~bwv~4toh~1en-1~140kgoccv6f8u~hq7~434j~gwrf-1~1bsnn1xr8sjt2~hq7~434j~gwri-1~2chnfu804bjy~gye~43c1~kkql-; T_3gwb=eo7%3A1iogx%3A1; rth=2-lgpn7t-eo7~1iogx~1~1-e98~1iog2~1~1-cr6~1gchu~1~1-agw~1fx34~1~1-cjh~1fx2n~1~1-agu~18jtp~1~1-901~zwmd~1~1-aw6~zwmc~1~1-ex0~xmrt~1~1-gyx~uk9d~1~1-exw~uiwo~1~1-45~uij1~1~1-44~s470~1~1-f5h~s2k0~1~1-d9e~qdly~1~1-9bc~qdls~1~1-77m~2z8a~1~1-
The value of the next request parameter is used to perform an HTTP redirect. The payload http%3a//a7d1a6e7d0f7a4e3d/a%3fhttp%3a//www.googleadservices.com/pagead/conversion/1045337482/%3flabel%3dWtIBCKjK1gEQiqu68gM%26amp%3bguid%3dON%26amp%3bscript%3d0 was submitted in the next parameter. This caused a redirection to the following URL:
The value of the dst request parameter is used to perform an HTTP redirect. The payload http%3a//ada575468e9b5c006/a%3fhttp%3a//admonkey.dapper.net/CookieMonster%3fcver%3d1%26adx%3doxrtb%26next%3dhttp%253A%252F%252Fwww.googleadservices.com%252Fpagead%252Fconversion%252F1045337482%252F%253Flabel%253DWtIBCKjK1gEQiqu68gM%2526amp%253Bguid%253DON%2526amp%253Bscript%253D0%26cid%3d was submitted in the dst parameter. This caused a redirection to the following URL:
GET /cm?pid=a76ec9ab-5a39-4f6c-ab8a-af58649dc832&dst=http%3a//ada575468e9b5c006/a%3fhttp%3a//admonkey.dapper.net/CookieMonster%3fcver%3d1%26adx%3doxrtb%26next%3dhttp%253A%252F%252Fwww.googleadservices.com%252Fpagead%252Fconversion%252F1045337482%252F%253Flabel%253DWtIBCKjK1gEQiqu68gM%2526amp%253Bguid%253DON%2526amp%253Bscript%253D0%26cid%3d HTTP/1.1 Host: bid.openx.net Proxy-Connection: keep-alive Referer: http://www.lanebryant.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: rp=H4sIAAAAAAAAAONlYOTgYAABAFIvYgUKAAAA; p=1300282350; i=212f8689-e963-4366-a0bb-ea2023fbb3e4
Response
HTTP/1.1 302 OK Content-Type: text/html; charset=utf-8 P3P: CP="CUR ADM OUR NOR STA NID" Connection: close Location: http://ada575468e9b5c006/a?http://admonkey.dapper.net/CookieMonster?cver=1&adx=oxrtb&next=http%3A%2F%2Fwww.googleadservices.com%2Fpagead%2Fconversion%2F1045337482%2F%3Flabel%3DWtIBCKjK1gEQiqu68gM%26amp%3Bguid%3DON%26amp%3Bscript%3D0&cid=e523c618-0a54-42af-9c3a-066c41a88b7c Content-Length: 0
The value of the rurl request parameter is used to perform an HTTP redirect. The payload http%3a//a823d33868c25feed/a%3fhttp%3a//image2.pubmatic.com/AdServer/Pug%3fvcode%3dbz0yJnR5cGU9MSZjb2RlPTU3MSZ0bD0xNTc2ODAw was submitted in the rurl parameter. This caused a redirection to the following URL:
The value of the pubmatic_callback request parameter is used to perform an HTTP redirect. The payload http%3a//a897c1a49fcb72eda/a%3fhttp%3a//image2.pubmatic.com/AdServer/Pug%3fvcode%3dbz0yJnR5cGU9MSZjb2RlPTM5MCZ0bD0xMjk2MDA%3d was submitted in the pubmatic_callback parameter. This caused a redirection to the following URL:
HTTP/1.0 302 Found Server: IM BidManager Date: Sun, 20 Mar 2011 12:36:21 GMT Expires: Sun, 20-Mar-2011 12:36:01 GMT Location: http://a897c1a49fcb72eda/a?http%3A%2F%2Fimage2.pubmatic.com%2FAdServer%2FPug%3Fvcode=bz0yJnR5cGU9MSZjb2RlPTM5MCZ0bD0xMjk2MDA%3D&piggybackCookie=002d9af2-d1e0-46f3-a4d5-a4e3b437adec.11265.18531.24197.6790.30337.8.6551.39832.10011.10012.4387.39857.7472.1073.51806.24680.39233.13893.13896.1097.13899.13902.38627.15694.15579.9691.51808.3427.18407.17256.24809.39536.39793.39794.11262.51069.1150.9855. Pragma: no-cache Cache-Control: no-cache P3P: policyref="/w3c/p3p.xml", CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Content-Type: text/plain
Report generated by XSS.CX at Sun Mar 20 09:16:14 CDT 2011.