As part of our articles detailing the 10 most frequent web attacks (as listed in the OWASP top 10), we are going to evoke unvalidated redirects and forwards.

Unvalidated redirects and forwards

On a website, it can sometimes be useful to redirect the users from one page to another, for instance in the case where the original page is no longer active. To make sure the URLs to which your website can redirect a visitor are legitimate, they must be limited and known by the server, which will put them, for instance, in a whitelist. If it is not the case, it can be easy for an attacker to use the redirect or forward mechanism of the website to bring a user to visit another website, which he controls. This illegitimate website can look exactly like the original one, and the pirate will thus exploit the data entered by the user, who will think he is still on the legitimate website.

redirection-301-302Typically, the pirate can (without the server blocking his request) make a redirect like:

http://www.legitimate.org/redirect.php?url=www.evil.org

It is thus easily possible to mislead an inattentive user, who will not check the URL on which he is redirected.

Finding the potential unverified redirects

To check whether your redirect and forward mechanism is not used malevolently, look into your website’s logs to see if 302 codes (or 30X) indicating a redirect are being generated. If the latter are generated by a rewrite of the .htaccess, there is no problem. However, if they are generated by the website itself, it is then important to check if the URLs are indeed limited in a whitelist; if not, it is likely that pirates are using your website to mislead and/or steal information from your visitors.

CerberHost’s answers to unvalidated redirects and forwards

cerberhostIt is complex to create an actual protection against this type of vulnerability because it is an internal mechanism of the website. However, the initial audit of the source code, provided by our security experts, will easily reveal these vulnerabilities and the SecOps team will ask the client to correct the code.

It is also possible to block these redirections at the revers proxies and WAF (web application firewall) levels, but it can also block the functioning of the website itself, it is thus not the better option.

Discover CerberHost

video de présentation de CerberHost

CerberHost protects your website against all Top 10 OWASP attacks, and much more.

To discover CerberHost in pictures, watch its presentation video HERE.

 

Lucie Saunois
Lucie Saunois
IT aficionado, specifically when it comes to cybersecurity, since she joined OT Group in 2015, Lucie specializes in making technical, and often complex, topics understandable by anyone.