Casaba Security » Web

Open redirects – what’s the problem?

Chris Weber — Sun, 02 Mar 2008 16:16:01 +0000

Been getting this question a bit lately. First off, what's an open redirect? It's a function in your application which sends the user to some other location. The redirect could be a response from the server, such as an HTTP 301 or 302 response code, or a META redirect. The redirect can be delivered in several forms, the important part is that when an attacker can control the redirect location, they can exploit it for nefarious purposes – usually this means spam or phishing attacks.

For example, your application takes a request from the user, maybe it's a GET request for a certain page. Included in the request is a value indicating the location where the user should be redirected once they've finished on the page. So, the user requests a page like:

http://somesite.tld/page.aspx?name=value&returnUrl=http://somesite.tld/referringpage.aspx

As you can see, the returnUrl takes a value of the redirect location. Then your code acts on it somewhere by redirecting the user with something like:
Response.Redirect(returnUrl);

Spammers and phishers love this, it gives them good camouflage. For example:

http://somesite.tld/page.aspx?name=value&returnUrl=http://evil.tld/installMalware.bad

Now imagine the spammer has crafted up a nice email that looks like it originates from somesite.tld, includes all the logos, fonts, etc. They coerce the victim into clicking this link by saying something like “your account needs immediate attention” or “you've won 500 points”. User clicks the link, gets redirected to evil.tld, and may not realize that the domain has switched before they say Yes to install the thing that the spammer wants them to download.

Tricky, right. In fact this is a favorite of spam, malware, and phish, next to the old XSS bug.

What's the solution
Well, simply, don't redirect openly, rather, implement a SafeRedirect() function that looks something like:

public static SafeRedirect(string url) { // check that protocol is either http:// https:// ftp:// or other specific protos you want to allow // check that domain is in fact yourdomain.tld // If these checks pass, then you can go ahead Response.Redirect(returnUrl); // If the checks fail, you can try to clean up the URL, but probably best to just fail and redirect to a safe landing page }
That's about all there is too it.

To fuzz or not to fuzz web services…

Chris Weber — Sat, 13 Jan 2007 08:00:00 +0000

Is it worth the time to run input fuzzing tests against web services? When engaging a client for a security review I’m often the one to pose this question. Sure, why not… right? Well honestly there’s a more precise way to answer this question. First we really need to understand the goals of the security review, so a few questions are in order.

Has threat modeling been done or is this my job?
How much time and budget do we have for a security review?
How complex are the web services? e.g. how many parameters do they take and in what format
Are the web services written in managed code?
Is user-input passed to unmanaged code?

Let’s take these answers from a common scenario:

Yes threat modeling is complete
We have about 2 or 3 weeks that you can use to test
Very complex, they use WS-Security, take hundreds of parameters, some encrypted, using custom formats, SOAP, as well as embedded XML blobs
Yes, they’re written in C# using the .NET Framework
Some specific elements of user-input are handled by unmanaged code modules

Some things not obvious in these questions are:

that the client is highly interested in finding Denial of Service (DoS) issues
that millions of people will be using these Web Services whether they know it or not
that no input fuzzing has been done to date

With 2-3 weeks we could get a lot done in a security review focused just one the web services. It’s becoming clear that fuzzing input would be a worthwhile venture. We’ll likely turn up some DoS issues, possibly some unmanaged code issues as well. Since we have a decent timeframe, we’ll be checking for the following issues, not all of which fuzzing is good for:

elevation of privilege (EoP)
repurposing attacks
cross-site scripting (yes, even web services in some cases)
information disclosure
session replay
SQL Injection
DTD attacks
XML validation
script injection
repudiation
denial of service
buffer overrun

Fuzzing will help with some of these, so at this point the answer is yes, let’s do it. We’ll also be doing some code review, which is great for identifying issues such as DoS, XML validation, and DTD attacks quickly. And we’ll be studying the specs and architecture along the way to keep a clear understanding of the system and help identify repurposing attacks, which will be tested for confirmation.

Ok let’s go!

Internet Explorer whitespace-as-comment hack to bypass input filters

Chris Weber — Thu, 11 Jan 2007 08:00:00 +0000

When testing for XSS (cross-site scripting) issues, you often need to bypass filters and perform different sorts of encodings and other trickery. To be a good tester you also need to know how the browsers you’re concerned with behave differently. In Internet Explorer 6.0 there’s a behavior that’s allowed seemingly impassible input validation filters to be bypassed. Note that the issue is not the browser’s fault, it’s the fault of an improperly designed input validation mechanism on the server. Okay to illustrate the point.

You’re testing a web app that has an input field. Some script tags are allowed but is not. By replacing the whitespace with a comment, your code is accepted. When returned to the browser, IE 6.x, the comment is interpreted as whitespace and the code is executed fine. Test it out:

//Start HTML //End HTML

This trick can be useful for more than just bypassing filters…