What is Open Redirect?
Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain.
Example of a basic URL:
Introduction to Open Redirect:
The response codes that the web-application offer as “301” or “302”, they simply speak out about the URL redirection!
“Open Redirect” or “Invalidated Redirection” is possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing attack and steal user credentials
Let’s check the real world scenario:
The user gets a phishing email stating that “Example.com – A movie booking web-app” is giving its users “a free movie ticket” over the URL specified in the email as:
The URL seems to be the genuine one, as it is having the domain name of “example.com”, but the same URL is thus having a redirecting over to “abc.in” which is nothing but the attacker’s fake web application.
There are chances when the developer does not care about the input validations or anything specific and simply implements the redirection functions as header() and let the redirected URL be in the clear texts.
Open Redirect Impact:
Open Redirection is itself a minor vulnerability, but, it thus itself can cause major damage to the web-application when integrated with others as with “RCE” or “XSS”.
Therefore, it thus has been reported with “Medium Severity” with a CVSS score of “6.1” under:
- CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)