AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Open Internal Redirect

Attackers may execute sophisticated cross site request forgery attacks abusing the trust your end-users have on your application domain name

Severity

Medium

Fix Cost

Low

Trust Level

High

Sometimes code should redirect the browsers to relative URL. The to be redirected location is formed according to an HTTP parameter value.

An example to this phenomena is to redirect users to relative application URLs that needs unauthenticated user to be authenticated. For example, sometimes users bookmark parts of the application for quick access in the future. However, these parts of the application may need user to be authenticated. Therefore, when users click on these bookmarks, the application redirects those users to the login page with a URL parameter storing the original bookmark relative URL such as below;

http://www.trustedapplication.com/login?redir=/profile

When the user logs into the application successfully, the code takes the redir parameter’s value and execute a redirection such as;


String urlContext = Request["redir"];   
Response.Redirect(Request.Url.Authority + urlContext);

		

Attackers can form URLs such as below to trick other end users to login to the application. However, when users logs into the application through the given link, the code will redirect them to the web site’s unintended context path, such as to a path that deletes the account with confirmation. This way attacker uses the trust that end users have in the target application but execute a sophisticated CSRF attacks.

http://www.trustedapplication.com/login?redir=/deleteaccountconfirm

Sometimes code should redirect the browsers to relative URL. The to be redirected location is formed according to an HTTP parameter value.

An example to this phenomena is to redirect users to relative application URLs that needs unauthenticated user to be authenticated. For example, sometimes users bookmark parts of the application for quick access in the future. However, these parts of the application may need user to be authenticated. Therefore, when users click on these bookmarks, the application redirects those users to the login page with a URL parameter storing the original bookmark relative URL such as below;

http://www.trustedapplication.com/login?redir=/profile

When the user logs into the application successfully, the code takes the redir parameter’s value and execute a redirection such as;


String urlContext = request.getParameter("redir");   
response.sendRedirect(getBaseUrl(request) + urlContext);

		

Attackers can form URLs such as below to trick other end users to login to the application. However, when users logs into the application through the given link, the code will redirect them to the web site’s unintended context path, such as to a path that deletes the account with confirmation. This way attacker uses the trust that end users have in the target application but execute a sophisticated CSRF attacks.

http://www.trustedapplication.com/login?redir=/deleteaccountconfirm

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!