An Open Redirection is when a web application or server uses a user-submitted link to redirect the user to a given website or page. Even though it seems like a harmless action, to let a user decide on which page he wants to be redirected to, if exploited such a technique can have a serious impact, especially when combined with other vulnerabilities and tricks.
How Can an Open Redirect Web Vulnerability be Exploited?
Abusing the Trust Users Have in the Vulnerable Website
Since the domain name in a URL is typically the only indicator for a user to recognize a legitimate website from a non-legitimate one, an attacker can abuse this trust to exploit an open redirect vulnerability on the vulnerable website, and redirect the user to a malicious page to execute further attacks, as explained in the following sections.
Exploiting an Open Redirect Vulnerability for a Phishing Attack
When the user clicks on a link of a legitimate website he often won’t be suspicious if suddenly a login prompt shows up. To launch a successful phishing attack the attacker sends the victim a link, for example via email, which exploits the vulnerability on the vulnerable website example.com:
By exploiting the open redirect vulnerability on the legitimate website, the attacker is redirecting the victim to, http://attacker.com/phish which is a phishing page that is similar to the legit website. Once the visitor is on the attacker’s malicious website, he enters his credentials on the login form which points to a script that is controlled by the attacker. The script is typically used to save the username and the password that is being typed in by the victim, which attackers typically use at a later stage to impersonate the victim on the legitimate website.
The probability of a successful phishing attack is quite high since the domain example.com is shown when the user clicks on the link.
Exploiting an Open Redirect Vulnerability to Redirect Victims to Malicious Websites
It is also possible to redirect an otherwise careful internet user to a site hosting attacker-controlled content, like a browser exploit or a page executing a CSRF attack. As above, the chances that the victim clicks the link are higher if the site the link points to is trusted by the victim. An example is an open redirect in a trustworthy page like a banking site, that directs the victim to a page with a CSRF exploit against a vulnerable WordPress plugin.
Exploiting an Open Redirection Vulnerability to Execute Code
Another URI scheme that’s useful for an attacker is data:. While this does not work in WebKit-based Browsers like Google Chrome or Opera anymore, in Mozilla FireFox the attacker can still redirect to it. What this does is write data directly to the browser window, which could ease the process of creating phishing pages, even without using a web server to host them.
What Is the Impact of an Open Redirection Vulnerability?
As mentioned above, the impacts can be many, and vary from theft of information and credentials, to the redirection to malicious websites containing attacker-controlled content, which in some cases even cause XSS attacks. So even though an open redirection might sound harmless at first, the impacts of it can be severe should it be exploitable.
How Can You Prevent Open Redirection Vulnerabilities?
Host Header Attack Hunting
– Find A URL Having Status code 2xx | 3xx
– You have to try once on each 2xx
status code 200 | 201 |202 | 203 | 204
status code 300 | 301 | 302 | 303 | 304
You need to find it on the target websites.
In this case we will use Burp-suite
Tarrget Website: www.hackersera.com
1.To intercept the packet of the target website.
2.Spider the website and try to search for the parameters.
3.Look for the status code 200 | 300 | 1,2,3,4
4.select the status and send it to repeater.
– First method to find the host header injection.
– And try to change the real host to bing.com.
– In the HOST: change the website
2. Method to find host header attack injection
Change host from realweb.com to bing.com
set X-Forwaeded-Host to realweb.com
3. Method to find Host header Attack.
Host to realweb.com
and Set X-Forwarded-Host to bing.com