Identification of Invalidated Redirects and Forwards

Invalidated Redirects and Forwards occur when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. This allows an attacker to induce a user to visit an unintended web page or use their own malicious URL for redirection or forwarding. This vulnerability is particularly dangerous because it can be used to facilitate phishing attacks or distribute malware.

From a pentester's perspective, identifying and exploiting Invalidated Redirects and Forwards involves the following steps:

Identification

  1. Review Code: Look for places in the code where redirects or forwards are happening. Check if the application is using user-controlled input to determine the destination. This is often found in parameters that accept URLs or paths.
  2. Manipulate URLs: By manipulating URL parameters that are used for redirection or forwarding, a pentester can determine if the application is properly validating these inputs. For example, changing a URL parameter like redirect=www.example.com to redirect=www.evil.com to see if the application redirects to evil.com.
  3. Check HTTP Headers: In some cases, redirection or forwarding can be controlled through HTTP headers. Manipulating headers like Referer or Location can reveal if the application is vulnerable.
  4. Automated Tools: Use automated scanning tools to identify potential vulnerable points. These tools can crawl the application and test for various types of vulnerabilities, including Invalidated Redirects and Forwards.

Examples of Attacks

  1. Phishing: An attacker could craft a link that appears to be from a legitimate website but redirects the user to a malicious site. For example, https://www.example.com/redirect?url=https://www.evil.com. The user sees the legitimate domain but ends up on a malicious site.
  2. Open Redirects: If a pentester finds that the application allows open redirection, they can use this to demonstrate how an attacker could leverage the website to redirect users to malicious sites without their knowledge.
  3. Malicious Forward: Similar to redirects, if an application forwards requests internally based on user input, an attacker could manipulate this to access unauthorized pages or content.

Mitigation Strategies

  • Always validate and sanitize all user-supplied input, especially URL parameters used for redirection or forwarding.
  • Avoid using user input for redirection or forwarding directly. If necessary, use mapping values (indirect object references) instead of actual URLs or paths.
  • Implement a whitelist of allowed URLs or domains to which redirection or forwarding is permitted.
  • Ensure that users are informed and consent to redirection when they are being redirected to an external site.

By understanding how to identify and exploit these vulnerabilities, pentesters can help organizations strengthen their web applications against such attacks.