Unvalidated Redirection

medium Web App Scanning Plugin ID 98054

Language:

Synopsis

Description

Web applications occasionally use parameter values to store the address of the page to which the client will be redirected -- for example: `yoursite.com/page.asp?redirect=www.yoursite.com/404.asp`

An unvalidated redirect occurs when the client is able to modify the affected parameter value in the request and thus control the location of the redirection. For example, the following URL `yoursite.com/page.asp?redirect=www.anothersite.com` will redirect to `www.anothersite.com`.

There are several ways a redirection can occur:

1) A response with a 3xx status code will tell the browser to redirect to the URL in the "Location" header

2) A response with a "Refresh" header tells the browser to reload the page after a set interval (which can be 0). The header can take an arbitrary URL parameter to load

3) The HTML <meta> tag can take a "http-equiv" attribute which can be used instead of an HTTP response header. Using this, a "Refresh" can be simulated

4) Javascript is used to redirect the browser to an arbitrary URL

Cyber-criminals will abuse these vulnerabilities in social engineering attacks to get users to unknowingly visit malicious web sites.

The scanner has discovered that the server does not validate the parameter value prior to redirecting the client to the injected value.

Solution

The application should ensure that the supplied value for a redirect is permitted. This can be achieved by performing whitelisting on the parameter value.
The whitelist should contain a list of pages or sites that the application is permitted to redirect users to. If the supplied value does not match any value in the whitelist then the server should redirect to a standard error page.