[VIM] Open redirects - yes or no?

Noam Rathaus noamr at beyondsecurity.com
Wed Apr 30 15:17:07 UTC 2008


Hi,

My personal dislike for this is that in some cases the URL is doing what it 
was asked to do - no one said that the URL should be local to the site or  
application.

So that this link or quite known application would fall under your category 
for a open redirect:
http://www.google.com/search?hl=en&q=CVE-2002-0419+windows+2003&btnI=I%27m+Feeling+Lucky

Which redirects you to Location: 
http://www.hitrust.com.hk/whitepaper/2.1/sample_report.pdf

Or this:
http://www.google.com/search?num=100&hl=en&safe=off&q=CVE-2008-0032++securiteam&btnI=I%27m+Feeling+Lucky

Redirecting you to our site.

I m quite sure people don't think Google's app is vulnerable.

In the same way I don't think an "open direct" is vulnerable - rather doing 
what it was asked.

If it were a XSS of some sort I would have been more keen to accept it.

On Wednesday 30 April 2008 17:49:25 Steven M. Christey wrote:
> CVE has been adding "open redirect" issues lately, where you have
> something like:
>
>   myapp.php?url=http://www.example.com/PHISHME
>
>
> Typically, a vulnerable application will read the url argument and
> construct a response that redirects the user to that URL.  The general
> rationale is for the application to redirect a user to another part of
> the site, e.g. if a login failed.
>
> The typical implementations I've seen either use a Location: header or
> a META-REFRESH.  CVE-2008-0981 and CVE-2008-0613 are recent examples.
>
> But, I've noticed that other VDBs aren't necessarily covering these.
>
> My rationale for inclusion in CVE is that open redirects are useful
> for redirecting a user from a legitimate site to a malicious site
> where the malicious site is either used for phishing or drive-by
> exploitation.  I suspect that many implemented redirects would be
> automatic, so in the drive-by example it's irrelevant if a cautious
> user looks at the browser's address bar, as the malware probably would
> have already implanted itself.  This usually is not intended by the
> program serving up the URL, and so it's technically a security issue
> because of the violation of the program's intended security policy.
> At least that's my general reasoning.
>
> The attack topology has things in common with reflected XSS
> (attacker-to-user-who-clicks), which I think is generally treated as a
> security issue even if it's typically user-assisted.  And I suspect
> there might be some stored-XSS-style attacks too.
>
> What do others think of this?
>
> - Steve



-- 
Noam Rathaus
CTO
noamr at beyondsecurity.com
http://www.beyondsecurity.com

"Know that you are safe."

Beyond Security Finalist for the "Red Herring 100 Global" Awards 2007


More information about the VIM mailing list