Open Redirect
Definition
Open Redirect (or OPR) occurs when a web application redirects a user to an URL without properly validating the redirect target.
OPR to XSS
When you have a client-side redirection using window.location = target
, you can trigger an XSS attack using the javascript:
protocol. Example:
window.location = "javascript:alert(document.domain)"
// ?redirect=javascript:alert(document.domain)
OPR to External URLs
Open Redirect to external URLs can enhance the success rate of phishing attacks if victims trust the main domain, but it still requires user interaction from the victim.
Example: https://example.com?redirect=https://evil.com
Execution After Redirect (EAR)
Execution After Redirect happens when a server redirects a user but executes code on the server before the redirection occurs. Example:
<?php
session_start();
if (!isset($_SESSION['auth'])) {
header("Location: /login");
}
echo "Private content!";
You can access the private content in the response body if the execution is not terminated after the redirection.
$ curl -v 'http://localhost:8888'
< HTTP/1.1 302 Found
< Host: localhost:8888
< Location: /login
< [...]
Private content!
Fix using the exit
function in PHP:
if (!isset($_SESSION['auth'])) {
header("Location: /login");
exit();
}
Follow redirects
Follow redirects refers to the process where an HTTP client automatically proceeds the redirection. Examples:
>>> import requests
>>> requests.get("http://localhost:8888?redirect=https://xanhacks.xyz").url
'https://xanhacks.xyz'
fetch("/?redirect=https://xanhacks.xyz")
.then(r => r.text())
.then(html => console.log(html)) // HTML content of xanhacks.xyz
OPR on famous websites
Open Redirect is not considered a vulnerability by Google, so they will not fix the following ones:
https://www.youtube.com/attribution_link?u=https://m.youtube.com@xanhacks.xyz
https://www.youtube.com/attribution_link?u=https://m.youtube.com.xanhacks.xyz
https://www.youtube.com/logout?continue=https://google.com/amp/xanhacks.xyz
https://accounts.google.com/ServiceLogin?continue=https://google.com/amp/xanhacks.xyz
https://accounts.google.com/SignOutOptions?hl=fr&continue=https://google.com/amp/xanhacks.xyz
https://google.com/amp/xanhacks.xyz