Security and Open Redirects

Impact of 301 -ing people in 2013



What's this deck about? Quick recap of Open Redirects Potential security impact on certain cases

Take away minutes for both devs and users

oh not again... Is it really necessary?

YES!

Open Redirs are everywhere

Open Redirs are usually neglected (for a good reason)

Not even OWASP takes them seriously

Truth is, they CAN become an issue

Their impact on complex apps is not easy to grasp

A world of subtleties

Different redirection techniques

Browsers do not behave consistently

Different contexts produce different results

Frequently chained with other vulnerabilities

Since providing arbitrary redirections may be considered the very purpose of certain applications (such as URL shorteners), Open Redirections are usually only discussed in the context of security and as potential targets for abuse .

So let's learn... ... why and when to take them into account

Quick recap of Open Redirects

A quick recap Open Redirects: Any functionality on a web application that can be used to redirect users to arbitrary resources

Accomplished by means of... HTTP 30x status codes : purest form

: purest form Refresh meta tag / header : slower and sometimes (un)safer

: slower and sometimes (un)safer JavaScript : location API mostly

: API mostly onclick redirects : interstitials, content proxies...

other weird methods : WML <go> tag (Opera)

HTTP 30x Status codes 301 Moved Permanently

302 Found

303 See other Generate new request for the URL in Location: header

header POST verb is replaced by GET and request body removed

verb is replaced by and request body removed location.hash is forwarded even cross-domain

307 Temporary redirect (HTTP 1.1 only) Like 302 but POST is not downgraded to GET

Rarely seen

Refresh meta tag / header <meta http-equiv="refresh"

content="0;URL=scheme://authority/">



Refresh: 0;url=scheme://authority

Usually used for deferred redirections (Interstitials)

No Referer is sent

URLs with semicolons may cause problems and cannot be escaped reliably

JavaScript redirects location = ... ;

location.replace(...);

location.assign(...);

location.href = ... ;

document.URL = ... ;

... Most browsers populate Referer header

header IE 9 also does, but IE <=8 does not ( link.click() workaround)

Open redirects habitat login/logout pages ( ?next= ?path= ?goto= ?returnto=...)

SSO and Authorization frameworks (SAML, OAuth2...)

and Authorization frameworks (SAML, OAuth2...) Identity providers

Filewrappers and content proxies

Clicktrackers, Interstitial warnings

Post/Redirect/Get design patterns

Quick recap of Open Redirects Potential security impact on certain cases

Malicious usage Abusing domain reputation (phishing, spam...) Referer stripping / riding Bypassing link whitelists Server-side Request Forgery XSS Information Leakage Character injection

1- Abusing domain reputation

Do you screen your links before clicking on them? The status bar helps but we are too used to URL shorteners

t.co, bit.ly, fb.me... we basically gave up on knowing beforehand where we are being taken to

When there is no shortener, we no longer expect a redir Seeing https://www.paypal.com... looks actually safe

... when in fact we don't know ... https://www.paypal.com/de/cgi-bin/?

id=xjkfdsKJHSUOSKFjauhhsdhkfd8793004

jkhfdsJHfds98fdskjJxxjkFjksdf&cmd=_ba

ck-to-portal&portal_url=https://evil.com

Also status bar is not always available!

Things get worse on social sites Small previews of external links are attempted

Link is prefetched and decorated with title, favicon, thumb, text excerpt...

Link is wrapped: Twitter t.co Facebook l.php LinkedIn /share?viewlink

Classic TOCTOU problem vs. Server-side Request Forgery



(more on this later...)

@randomdross actually wrote a great paper on this topic

Plus, even without open redirs... JavaScript can change the URL of newly opened windows at any time

Link on makensi.es points to apple.com and opens on new window User clicks, new window opens, apple.com loads At any time, even after user navigates further down apple.com , makensi.es window may change the URL from apple.com to evil.com

@lcamtuf did a nifty demo of this

So yeah, you cannot trust links

whatsoever, not for a single authority

How to be safe: ALWAYS check your browser address bar That's about it

The problem is that the current contents of the address bar are about the only security indicator you have in the browser.[...] If you make security decisions based on onmouseover tooltips, link text or anything along these lines, and do not examine the address bar of the site you are ultimately interacting with, there is very little any particular web application can do to save you" -- Michal Zalewski

2- Referer stripping / riding School taught us Referer is not reliable

is not reliable Still, many people rely on referer checks against hotlinking and for access control

Also referer checking = lazy man's anti- CSRF

Works better than most of us would dare to admit