Let’s talk about open redirect vulnerability

Explanation

Redirects allow web applications to direct users to different pages within the same application or to external sites. Applications utilize redirects to aid in site navigation and, in some cases, to track how users exit the site. Open redirect vulnerabilities occur when a web application redirects clients to any arbitrary URL that can be controlled by an attacker.

An Open Redirection is when a web application or server uses an unvalidated user-submitted link to redirect the user to a given website or page. Even though it seems like a harmless action to let a user decide to which page he wants to be redirected, such technique if exploited can have a serious impact on the application security, especially when combined with other vulnerabilities and tricks.

Attackers may utilize open redirects to trick users into visiting a URL to a trusted site and redirecting them to a malicious site. By encoding the URL, an attacker is able to make it more difficult for end-users to notice the malicious destination of the redirect, even when it is passed as a URL parameter to the trusted site. Open redirects are often abused as part of phishing scams to harvest sensitive end-user data.

Summary

The file Customer Login.aspx.cs (just a example) passes unvalidated data to an HTTP redirect . Allowing unvalidated input to control the URL used in a redirect can aid phishing attacks.Allowing unvalidated input to control the URL used in a redirect can aid phishing attacks.

The following code instructs the user’s browser to open a URL parsed from the dest request parameter when a user clicks the link.

String redirect = Request["dest"];
Response.Redirect(redirect);

If a victim receives an email instructing the user to follow a link to “http://trusted.example.com/ecommerce/redirect.asp?dest=www.wilyhacker.com", the user might click on the link believing they would be transferred to the trusted site. However, when the user clicks the link, the code above will redirect the browser to “http://www.wilyhacker.com".

Many users have been educated to always inspect URLs they receive in emails to make sure the link specifies a trusted site they know. However…