Preventing Malicious Redirects

If your site permits open redirects, you may be unknowingly helping attackers take advantage of your user base.

Risks

Prevalence
Common
Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354 Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354 Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354
Exploitability
Easy
Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b
Impact
Worrying
Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd

Redirects are a useful function to have when building a website. If a user attempts to access a resource before they are logged in, it is conventional to redirect them to the login page, put the original URL in a query parameter, and after they have logged in, automatically redirect them to their original destination. This type of functionality shows you are putting thought into the user experience, and is to be encouraged. However, you need to be sure anywhere you do redirects, they are done safely – otherwise you are putting your users in harm’s way by enabling phishing attacks.

Modern web-mail services are very good at spotting spam and other types of malicious messages. One detection method they use is to parse the out-bound links in HTML emails. These links are compared to a black-list of banned domains; if the domain is deemed to be malicious, the email is redirected to the junk folder.

This is why spammers and phishers find open redirects so enticing. If they can “bounce” a user off your website (an apparently valid domain), their messages are less likely to be marked as malicious. If the user clicks on the link, they will see your website in the link, but they will end up at whatever site the attacker wants to direct them to. A confused user might download malware or worse, because of the trust they put in your site!