Posts Tagged ‘testing’

Phun with redirects

Posted: 31.10.2010 in Security
Tags: , ,

I love redirection at web applications. They are so often broken. I’m trying to list here several mistakes which I’ve seen most often. Redirections are often used in places like login. That tries to make system friendlier for users by returning user to same page where he clicked the “Login”-link. So let’s imagine there is page ‘brokensite.xyz’ which has that kind of redirection. When user clicks “Login”, he is directed to page http://brokensite.xyz/login.jsp?returl=returnpage.jsp.

First: Lack of url validation. The attacker is able to set any url to returl-parameter. I usually try to replace valid destination with http://google.com/ and if I end up to that page after I’ve logged in, system is vulnerable. This should be one of the basic checks with web applications. In this case it would be: http://brokensite.xyz/login.jsp?returl=http://google.com/.

Second: Middle of URL %0A and especially with jsp. That is new line, and when redirection is made with http-result code 30x (302, 301 or some other). Then the target destination is given with Location-header. If the web application is not url encoding the destination properly, attacker can add new headers with %0A. And web browsers (at least Firefox) are redirecting to the last Location-destination. So in this case the attack URL would be: http://brokensite.xyz/login.jsp?returl=correctone.jspLocation:+http://google.com/

Third: Incorrectly escaped ” or ‘ when redirection is done with META-tag or JavaScript. Those cases are more like XSS or html injection errors. But still they can be very effective. Usually the mistake happens with META-tag. Developers tend to forget that proper quote escaping is not with backslash at tag-parameters. Let’s expect that quote is now escaped wrong with backslash so ” at parameters are converted to \”. Only characters ‘ and ” are escaped.

To produce result below our url must be: http://brokensite.xyz/login.jsp?returl=correctone.jsp?”<script>alert(1);</script>.

<META
HTTP-EQUIV="Refresh"
CONTENT="0; URL=correctone.jsp?\"><script>alert(1);</script>

Fourth: JavaScript-redirection is not properly escaping character combination – -> or ]]> – depending what kind of hiding is used at JavaScript. Those are usually ending the JavaScript hiding and also escaping from quotes. So JavaScript below is totally legal. It is created with url http://brokensite.xyz/login.jsp?returl=correctone.jsp+- -></script><script>alert(1);</script> (remove the space between dashes. WP seems to combine multipe dashes to longer dash.)

<script><!--
window.location="corretone.jsp --></script><script>alert(1);</script>");

//-->
</script>

If you are developer and plan to make redirection, please, use response codes instead of JavaScript and META-tag. The JavaScript is most vulnerable type of redirection. And META-tag can be turned off too easily. Always URL-encode everything you receive. Never trust to anything which is coming from the browser. Testers – like me – can be evil, but criminals can be even more evil.

Why redirection errors are bad? Well – thanks for the insecure SMTP-protocol, phisher can send to victims the mail with from-address admin@brokensite.xyz. Mail says that account has been suspended and requests the user to login to http://brokensite.xyz/login.jsp?returl=attackers_own_url. And that can insert malware, steal password by telling that user gave wrong password and requests to resubmit the password and so on. Attack possibilities are nearly unlimited.

Advertisements