Security Testing 简明教程

Unvalidated Redirects and Forwards

互联网上的大多数 Web 应用程序经常将用户重定向并转发到其他页面或外部网站。但是,在不验证这些页面的可信度的情况下,黑客可以将受害者重定向到网络钓鱼或恶意软件网站,或使用转发来访问未经授权的页面。

Let us understand Threat Agents, Attack Vectors, Security Weakness, Technical Impact and Business Impacts of this flaw with the help of simple diagram.

unvalidated redirects and forwards

Example

Some classic examples of Unvalidated Redirects and Forwards are as given −

  1. Let us say the application has a page - redirect.jsp, which takes a parameter redirectrul. The hacker adds a malicious URL that redirects users which performs phishing/installs malware.

http://www.mywebapp.com/redirect.jsp?redirectrul=hacker.com
  1. All web application used to forward users to different parts of the site. In order to achieve the same, some pages use a parameter to indicate where the user should be redirected if an operation is successful. The attacker crafts an URL that passes the application’s access control check and then forwards the attacker to administrative functionality for which the attacker has not got the access.

http://www.mywebapp.com/checkstatus.jsp?fwd=appadmin.jsp

Preventive Mechanisms

  1. It is better to avoid using redirects and forwards.

  2. If it is unavoidable, then it should be done without involving user parameters in redirecting the destination.