Unvalidated Redirect
Bug Pattern: UNVALIDATED_REDIRECT
Unvalidated redirects occur when an application redirects a user to a destination URL specified by a user supplied parameter that is not validated. Such vulnerabilities can be used to facilitate phishing attacks.
Scenario
A user is tricked into visiting the malicious URL: http://website.com/login?redirect=http://evil.vvebsite.com/fake/login
The user is redirected to a fake login page that looks like a site they trust. (http://evil.vvebsite.com/fake/login)
The user enters his credentials.
The evil site steals the user’s credentials and redirects him to the original website.
This attack is plausible because most users don’t double check the URL after the redirection. Also, redirection to an authentication page is very common.
Vulnerable Code:
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {[...]resp.sendRedirect(req.getParameter("redirectUrl"));[...]}
Solution/Countermeasures:
Don’t accept redirection destinations from users
Accept a destination key, and use it to look up the target (legal) destination
Accept only relative paths
White list URLs (if possible)
Validate that the beginning of the URL is part of a white list
References
WASC-38: URL Redirector Abuse
OWASP: Top 10 2013-A10: Unvalidated Redirects and Forwards
OWASP: Unvalidated Redirects and Forwards Cheat Sheet
CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
Spring Unvalidated Redirect
Bug Pattern: SPRING_UNVALIDATED_REDIRECT
Unvalidated redirects occur when an application redirects a user to a destination URL specified by a user supplied parameter that is not validated. Such vulnerabilities can be used to facilitate phishing attacks.
Scenario
A user is tricked into visiting the malicious URL: http://website.com/login?redirect=http://evil.vvebsite.com/fake/login
The user is redirected to a fake login page that looks like a site they trust. (http://evil.vvebsite.com/fake/login)
The user enters his credentials.
The evil site steals the user’s credentials and redirects him to the original website.
This attack is plausible because most users don’t double check the URL after the redirection. Also, redirection to an authentication page is very common.
Vulnerable Code:
@RequestMapping("/redirect")public String redirect(@RequestParam("url") String url) {[...]return "redirect:" + url;}
Solution/Countermeasures:
Don’t accept redirection destinations from users
Accept a destination key, and use it to look up the target (legal) destination
Accept only relative paths
White list URLs (if possible)
Validate that the beginning of the URL is part of a white list
References
WASC-38: URL Redirector Abuse
OWASP: Top 10 2013-A10: Unvalidated Redirects and Forwards
OWASP: Unvalidated Redirects and Forwards Cheat Sheet
CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
若有收获,就点个赞吧
0 人点赞
