Open HTTP Redirect

The Open HTTP Redirect attack occurs when a web application redirects users to an arbitrary URL provided by the attacker. This type of vulnerability arises due to insufficient or non-existent validation of parameters controlling HTTP redirects.

Attackers exploit this vulnerability primarily to carry out phishing attacks, tricking unsuspecting users into visiting malicious sites under the guise of legitimate links.

In a typical Open HTTP Redirect vulnerability, the application receives a URL parameter to define the destination address after an action, such as a login or a successful operation. Example:

https://example.com/login?redirect=http://malicious-site.com

If the application does not correctly validate the redirect parameter, the user will be redirected directly to the malicious site provided by the attacker.

Low

In this level of security, when entering the corresponding section, we find two links that direct us to another part of the web.

Links

When analyzing the code of the links, we found the following, where it is observed that a redirection is made to the info.php file with an id=1 parameter:

<a href="source/low.php?redirect=info.php?id=1">Quote 1</a>

If we modify the link using another address, such as OSDO, the link will take us to the OSDO website instead of loading the page that should display the application:

<a href="source/low.php?redirect=http://opensecdevops.com">Quote 1</a>

Medium

At this security level, if we try again the attack performed at the low level, we get a message indicating that absolute URLs cannot be used.

Low attack in medium level

Reviewing the source code, we see that the application explicitly checks that the URL provided is not absolute:

<?php

if (array_key_exists ("redirect", $_GET) && $_GET['redirect'] != "") {
 if (preg_match ("/http:\/\/|https:\/\//i", $_GET['redirect'])) {
  http_response_code (500);
  ?>
  <p>Absolute URLs not allowed.</p>
  <?php
  exit;
 } else {
  header ("location: " . $_GET['redirect']);
  exit;
 }
}

http_response_code (500);
?>
<p>Missing redirect target.</p>
<?php
exit;
?>

Thanks to this hint, we tested using a URL relative to the protocol. By modifying the link in the following way, we achieve the redirection:

<a href="source/medium.php?redirect=//opensecdevops.com">Quote 1</a>

High

At this level, when attempting any of the above attacks, an error message appears indicating that you can only redirect to the info page.

Medium Attack in high level

When analyzing the application code, we observe that it performs a check by explicitly looking for the string info.php in the URL we provide:

<?php

if (array_key_exists ("redirect", $_GET) && $_GET['redirect'] != "") {
 if (strpos($_GET['redirect'], "info.php") !== false) {
  header ("location: " . $_GET['redirect']);
  exit;
 } else {
  http_response_code (500);
  ?>
  <p>You can only redirect to the info page.</p>
  <?php
  exit;
 }
}

http_response_code (500);
?>
<p>Missing redirect target.</p>
<?php
exit;
?>

Since we have previously noted that the links use the info.php file, we can pass it as a "valid" parameter to our domain to bypass this security restriction:

<a href="source/high.php?redirect=//opensecdevops.com?info.php=1">Quote 1</a>

Low​

Medium​

High​

Low

Medium

High