Redirects, but final destination is not an HTTPS URL

By
Rejah Rehim
Published on
05 Jun 2018
Vulnerability
Client Side URL Redirect

HTTPS protocol is used for secure communication over a computer network. HTTPS is widely used on the Internet because due to its secure communication. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS), or formerly, its predecessor, Secure Sockets Layer (SSL). This vulnerability is due to SSL being turned off or the certificate used is not proper. This protocol protects applications from the man-in-the-middle attack (MITM). HTTPS was first implemented in the payment gateway. The other difference between HTTPS and HTTP is that HTTP uses port 80 whereas HTTPS uses 443.

Impact

Using this vulnerability, an attacker can:-

  • redirect the user to a malicious site to steal information/data.
  • show users false data which will, in turn, affect the credibility of the website.

Mitigation / Precaution

Beagle recommends the following:-

  • Turn on SSL certification
    • To obtain certification, generate a CSR (Certificate Signing Request).
    • Contact a certificate provider and request for a certificate.
    • Install the certificate.
    • Enforce SSL connections.
  • Try to set a proper SSL certificate.
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Rejah Rehim
Rejah Rehim
Co-founder, Director
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment