Everything is vulnerable, as they say. The trend seems to be getting worse with the ever increasing number of connected “smart” devices.
What matters is, how one addresses what is vulnerable and how quickly.
Yesterday, my regular Monday morning started with a 32 oz. mug of coffee and receiving an email invite to join an online network from a random member of University of Nebraska Omaha, who probably mistook my highly common name for someone else at the university. Nevertheless, I went ahead and signed up for the cool-looking site, StartupTree. There’s something about the buzzwords “entrepreneurship”, “startups”, “venture capitalists” etc. that send me back to my undergraduate years!
Moments later, I noticed the signup page was using a GET parameter in the URL called next. As any web developer would probably be familiar with, GET parameters named “next” or “url” are typically used to redirect the user to a specified (typically internal) URL post signup or login, such as the user account Dashboard. That is:
https://*.startuptree.co/login?next=<.../some/internal/page>
There I found a simple yet dangerous Open Redirect Vulnerability (CWE-601). Upon changing the value of next parameter to an external domain URL, such as https://google.com the website redirected the user to the external page.
Aha! As expected, I got redirected to Google! This was enough for demonstration purposes.
Open Redirects may appear to be simple, innocuous flaws but can actively be exploited by attackers to conduct convincing phishing attacks. The success of such attacks is in part due to the fact that the domain part of the URL is in fact legitimate, making the URL look 'clean' to an unsuspecting user. The website is still https://*.startuptree.co and anything afterwards can easily be encoded and masked. A malicious actor, for example, could make a user login on StartupTree’s page and replace the next…
