Insecure Redirection

An attacker can successfully launch a phishing scam and steal user credentials on the victim users by modifying the untrusted URL input to a malicious site. This redirection attack is possible because the server name of the original site is identical to the destination site. As the malicious site is almost identical to the original site, the phishing attempts may have a more trustworthy appearance. The attacker misuses the Unvalidated redirect vulnerability to create a maliciously crafted URL to pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access.

This vulnerability occurs when an application accepts untrusted input that contains an URL value without sanitising it. The attacker can use the URL value to redirect the user to another page controlled by the attacker.

Example

        response.sendRedirect(request.getParameter("http://example.beaglesecurity.com"));

    

Impact

The impact for this vulnerability includes:-

• Steal user credentials: The attacker can access the redirection channel to access sensitive information transmitted between the server and the clients.
• Phishing scam: The attacker will redirect the victim to the destination’s fake site to access the victim’s username and password.

Mitigation / Precaution

Beagle recommends the following fixes:-

• Try to avoid the use of redirection and forwards.
• Don’t allow the URL to execute as a user input for the destination. Try to use a method to validate the URL.
• Ensure that the supplied value is valid and is appropriate for the application. Also, ensure that the input is authorised for the user.
• Sanitise the input by creating a list of trusted URLs.