Phun with redirects

Posted: 31.10.2010 in Security
Tags: , ,

I love redirection at web applications. They are so often broken. I’m trying to list here several mistakes which I’ve seen most often. Redirections are often used in places like login. That tries to make system friendlier for users by returning user to same page where he clicked the “Login”-link. So let’s imagine there is page ‘’ which has that kind of redirection. When user clicks “Login”, he is directed to page

First: Lack of url validation. The attacker is able to set any url to returl-parameter. I usually try to replace valid destination with and if I end up to that page after I’ve logged in, system is vulnerable. This should be one of the basic checks with web applications. In this case it would be:

Second: Middle of URL %0A and especially with jsp. That is new line, and when redirection is made with http-result code 30x (302, 301 or some other). Then the target destination is given with Location-header. If the web application is not url encoding the destination properly, attacker can add new headers with %0A. And web browsers (at least Firefox) are redirecting to the last Location-destination. So in this case the attack URL would be:

Third: Incorrectly escaped ” or ‘ when redirection is done with META-tag or JavaScript. Those cases are more like XSS or html injection errors. But still they can be very effective. Usually the mistake happens with META-tag. Developers tend to forget that proper quote escaping is not with backslash at tag-parameters. Let’s expect that quote is now escaped wrong with backslash so ” at parameters are converted to \”. Only characters ‘ and ” are escaped.

To produce result below our url must be:”<script>alert(1);</script>.

CONTENT="0; URL=correctone.jsp?\"><script>alert(1);</script>

Fourth: JavaScript-redirection is not properly escaping character combination – -> or ]]> – depending what kind of hiding is used at JavaScript. Those are usually ending the JavaScript hiding and also escaping from quotes. So JavaScript below is totally legal. It is created with url -></script><script>alert(1);</script> (remove the space between dashes. WP seems to combine multipe dashes to longer dash.)

window.location="corretone.jsp --></script><script>alert(1);</script>");


If you are developer and plan to make redirection, please, use response codes instead of JavaScript and META-tag. The JavaScript is most vulnerable type of redirection. And META-tag can be turned off too easily. Always URL-encode everything you receive. Never trust to anything which is coming from the browser. Testers – like me – can be evil, but criminals can be even more evil.

Why redirection errors are bad? Well – thanks for the insecure SMTP-protocol, phisher can send to victims the mail with from-address Mail says that account has been suspended and requests the user to login to And that can insert malware, steal password by telling that user gave wrong password and requests to resubmit the password and so on. Attack possibilities are nearly unlimited.

  1. Cool One.

    The first vulnerability that you have listed, I have seen them in most of the applications that are famous [ I wouldn’t name them ]. Now, it is so easy to create a spoof page with the same GUI and then use a URL shorten-er service so that some people do not recognize what is the redirect URL 😛

    Now, when they click they see a similar GUI as of the genuine website and they get fooled and attacker loves to get details what he / she wants [ Example: After clicking on Login button redirect it to spoof page where Password and Confirm Password fields exist and victim enters and BOOM!!! ].


  2. […] application is not validating its input correctly. I have written about that before at post “Phun with redirects“. But second is more fundamental failure. It’s at e-mail protocol. The From field is […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s