This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Execution After Redirect (EAR)

From OWASP
Revision as of 18:18, 2 May 2017 by Robert Gilbert (talk | contribs) (Removed stub)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
This is an Attack. To view all attacks, please see the Attack Category page.


Last revision (mm/dd/yy): 05/2/2017

Overview

Execution After Redirect (EAR) is an attack where an attacker ignores redirects and retrieves sensitive content intended for authenticated users. A successful EAR exploit can lead to complete compromise of the application.

How to Test for EAR Vulnerabilities

Using most proxies it is possible to ignore redirects and display what is returned. In this test we use Burp Proxy.

  1. Intercept request https://vulnerablehost.com/managment_console
  2. Send to repeater.
  3. View response.

How to Prevent EAR Vulnerabilities

Proper termination should be performed after redirects. In a function a return should be performed. In other instances functions such as die() should be performed. This will tell the application to terminate regardless of if the page is redirected or not.

Examples

The following code will check to see if the parameter "loggedin" is true. If it is not true, it uses JavaScript to redirect the user to the login page. Using the "How to Test for EAR Vulnerabilities" section or by disabling JavaScript in the browser, the same request is repeated without following the JavaScript redirect and the "Admin" section is accessible without authentication. 

<?php
if (!$loggedin) {
    print "<script>window.location = '/login';</script>\n\n";
}
?>
<h1>Admin</h1>
<a href=/mu>Manage Users</a><br />
<a href=/ud>Update Database Settings</a>

References

Retrieved from "https://wiki.owasp.org/index.php?title=Execution_After_Redirect_(EAR)&oldid=229345"