Presentation is loading. Please wait.

Presentation is loading. Please wait.

Unvalidated Redirects & Forwards

Published byClinton Flowers Modified over 6 years ago

Similar presentations

Presentation on theme: "Unvalidated Redirects & Forwards"— Presentation transcript:

1 Unvalidated Redirects & Forwards
Rick Stroud 28 July 2016 CSCE 548 Student Presentation

2 Agenda By the conclusion of this presentation you will be able to answer the following 4 questions concerning Unvalidated Redirects & Forwards Q1) What Is It? Q2) What Is The Risk? Q3) How To Prevent It? Q4) How to Detect It?

3 What is a Redirect & Forward?
Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages1. response.sendRedirect(" #10 on OWASP Top 10 Vulnerabilities 1https://

4 Are All Redirect & Forwards Bad?
There are legitimate reasons why an application may need to redirect a user For example, after authentication some websites take users to their personally defined home page If you have ever visited a website on a mobile device and been automatically taken to the mobile version of the site you have likely encountered a redirect or forward Redirects & Forwards are a key part of internet & marketing

5 What Google Says “We recognize that the address bar is the only reliable security indicator in modern browsers; consequently, we hold that the usability and security benefits of a small number of well-designed and closely monitored redirectors outweigh their true risks.”2,3 2https:// 3https://

6 Example – Non Malicious

7 When Are Redirect & Forwards Bad?
When the destination of the redirect & forward are vulnerable to tampering This includes redirecting to user supplied destinations Any time destination of redirection cannot be validated, risk exists

8 When Can User Input be Trusted?
never

9 What is the Risk? Risk is essentially, Cross-Site Scripting
This has been well covered already by other presentations Anytime the destination address can be modified the user can be taken to a site with malicious intent Commonly used in phishing attacks

10 How to Prevent Risk? Simply avoid using redirects and forwards.
If used, do not allow the url as user input for the destination. At a minimum, have a method to validate URL. If user input is required, make sure the value is valid, appropriate within the context of the application, and the user is authorized to access the destination Rather than using user input directly, map limited set of possible input values to a domain of allowed destination URLs. Store list of trusted URLs securely, not in source code. Notify all users when a redirect happens, especially if they are leaving your site, and require click confirmation. 4https://

11 Example of a valid redirect?
To prevent tampering, encode parameters

12 How To Detect? In your own code, standard code review.
Tools - A redirect normally returns an HTTP code in the range,

13 What OWASP Has To Say5 Exploitability – Average Prevalence – Uncommon
Detectability – Easy Technical Impact – Moderate Business Impact – Varies, application specific, may undermine trust 5https://

14 Bonus Example – Email Newsletter
Take the newsletter below & the unsubscribe link

15 Example – Email Newsletter
The Unsubscribe link goes to u=aff97178dc9be0c5fe5c1355d& id=dae & e=e80a689799 And Redirects the user to the link below id=4782b1a8b6 The parameters in the redirect encode both the destination to redirect the user to and the identity of the recipient.

16 Microsoft Engineering Excellence
Questions? Microsoft Confidential

17 Reference Summary https:// 5https://

Download ppt "Unvalidated Redirects & Forwards"

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
OWASP Web Vulnerabilities and Auditing

OWASP Web Vulnerabilities and Auditing
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
WEB BROWSER SECURITY By Robert Sellers Brian Bauer.

WEB BROWSER SECURITY By Robert Sellers Brian Bauer.
Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.

10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
The Internet & The World Wide Web Notes

The Internet & The World Wide Web Notes
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
SHASHANK MASHETTY Email security. Introduction Electronic mail most commonly referred to as email or e- mail. Electronic mail is one of the most commonly.

SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.
BROWSERS & BROWSING What, Which & Why. WHAT IS A BROWSER? Once you have an Internet connection, some programs access the internet automatically to operate.

BROWSERS & BROWSING What, Which & Why. WHAT IS A BROWSER? Once you have an Internet connection, some programs access the internet automatically to operate.
STAY SAFE ONLINE. STAY SAFE ONLINE! PLEASE MAKE SURE YOU LOGIN AT THE CORRECT BANK URL / ADDRESS 1.NEVER LOGIN VIA EMAIL LINKS 2.NEVER REVEAL YOUR PIN.

STAY SAFE ONLINE. STAY SAFE ONLINE! PLEASE MAKE SURE YOU LOGIN AT THE CORRECT BANK URL / ADDRESS 1.NEVER LOGIN VIA LINKS 2.NEVER REVEAL YOUR PIN.
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Similar presentations

Ads by Google