This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Top 10 2010-A10-Unvalidated Redirects and Forwards"
From OWASP
| (3 intermediate revisions by one other user not shown) | |||
| Line 1: | Line 1: | ||
{{Top_10_2010:TopTemplate|useprev=2010PrevLink|usenext=2010NextLink|prev=A9-Insufficient Transport Layer Protection|next=What's Next For Developers}} | {{Top_10_2010:TopTemplate|useprev=2010PrevLink|usenext=2010NextLink|prev=A9-Insufficient Transport Layer Protection|next=What's Next For Developers}} | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | {{Top_10_2010:SummaryTableHeaderBeginTemplate}} | |
| − | + | {{Top_10_2010:SummaryTableValue-2-Template|Exploitability|AVERAGE}} | |
| − | + | {{Top_10_2010:SummaryTableValue-3-Template|Prevalence|UNCOMMON}} | |
| + | {{Top_10_2010:SummaryTableValue-1-Template|Detectability|EASY}} | ||
| + | {{Top_10_2010:SummaryTableValue-2-Template|Impact|MODERATE}} | ||
| + | {{Top_10_2010:SummaryTableHeaderEndTemplate}} | ||
| + | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Consider anyone who can trick your users into submitting a request to your website. Any website or other HTML feed that your users use could do this.</td> | ||
| + | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Attacker links to unvalidated redirect and tricks victims into clicking it. Victims are more likely to click on it, since the link is to a valid site. Attacker targets unsafe forward to bypass security checks.</td> | ||
| + | <td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Applications frequently redirect users to other pages, or use internal forwards in a similar manner. Sometimes the target page is specified in an unvalidated parameter, allowing attackers to choose the destination page.</td> | ||
| + | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Such redirects may attempt to install malware or trick victims into disclosing passwords or other sensitive information. Unsafe forwards may allow access control bypass.</td> | ||
| + | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Consider the business value of retaining your users’ trust.<br/><br/>What if they get owned by malware?<br/><br/>What if attackers can access internal only functions?</td> | ||
| + | {{Top_10_2010:SummaryTableEndTemplate}} | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=1|risk=10}} | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=1|risk=10}} | ||
The best way to find out if an application has any unvalidated redirects or forwards is to: | The best way to find out if an application has any unvalidated redirects or forwards is to: | ||
| Line 48: | Line 33: | ||
Scenario #1: The application has a page called “redirect.jsp” which takes a single parameter named “url”. The attacker crafts a malicious URL that redirects users to a malicious site that performs phishing and installs malware. | Scenario #1: The application has a page called “redirect.jsp” which takes a single parameter named “url”. The attacker crafts a malicious URL that redirects users to a malicious site that performs phishing and installs malware. | ||
| − | + | {{Top_10_2010:ExampleBeginTemplate}}<nowiki>http://www.example.com/redirect.jsp?url=evil.com</nowiki>{{Top_10_2010:ExampleEndTemplate}} | |
Scenario #2:The application uses forward to route requests between different parts of the site. To facilitate this, some pages use a parameter to indicate where the user should be sent if a transaction is successful. In this case, the attacker crafts a URL that will pass the application’s access control check and then forward the attacker to an administrative function that she would not normally be able to access. | Scenario #2:The application uses forward to route requests between different parts of the site. To facilitate this, some pages use a parameter to indicate where the user should be sent if a transaction is successful. In this case, the attacker crafts a URL that will pass the application’s access control check and then forward the attacker to an administrative function that she would not normally be able to access. | ||
| − | + | {{Top_10_2010:ExampleBeginTemplate}}<nowiki>http://www.example.com/boring.jsp?fwd=admin.jsp</nowiki>{{Top_10_2010:ExampleEndTemplate}} | |
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=4|risk=10}} | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=4|risk=10}} | ||
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}} | {{Top_10_2010:SubSubsectionOWASPReferencesTemplate}} | ||
Latest revision as of 16:17, 24 October 2011
NOTE: THIS IS NOT THE LATEST VERSION. Please visit the OWASP Top 10 project page to find the latest edition.
| ← A9-Insufficient Transport Layer Protection | Top 10 Risks |
What's Next For Developers → |
| Threat Agents | Attack Vectors | Security Weakness | Technical Impacts | Business Impacts | |
|---|---|---|---|---|---|
| Application Specific | Exploitability AVERAGE |
Prevalence UNCOMMON |
Detectability EASY |
Impact MODERATE |
Application / Business Specific |
| Consider anyone who can trick your users into submitting a request to your website. Any website or other HTML feed that your users use could do this. | Attacker links to unvalidated redirect and tricks victims into clicking it. Victims are more likely to click on it, since the link is to a valid site. Attacker targets unsafe forward to bypass security checks. | Applications frequently redirect users to other pages, or use internal forwards in a similar manner. Sometimes the target page is specified in an unvalidated parameter, allowing attackers to choose the destination page. | Such redirects may attempt to install malware or trick victims into disclosing passwords or other sensitive information. Unsafe forwards may allow access control bypass. | Consider the business value of retaining your users’ trust. What if they get owned by malware? What if attackers can access internal only functions? |
|
|
Am I Vulnerable To 'Unvalidated Redirects and Forwards'?
The best way to find out if an application has any unvalidated redirects or forwards is to:
|
How Do I Prevent 'Unvalidated Redirects and Forwards'?
Safe use of redirects and forwards can be done in a number of ways:
It is recommended that any such destination parameters be a mapping value, rather than the actual URL or portion of the URL, and that server side code translate this mapping to the target URL. Applications can use ESAPI to override the sendRedirect() method to make sure all redirect destinations are safe. Avoiding such flaws is extremely important as they are a favorite target of phishers trying to gain the user’s trust. |
|
Example Attack Scenarios
Scenario #1: The application has a page called “redirect.jsp” which takes a single parameter named “url”. The attacker crafts a malicious URL that redirects users to a malicious site that performs phishing and installs malware. http://www.example.com/redirect.jsp?url=evil.com
Scenario #2:The application uses forward to route requests between different parts of the site. To facilitate this, some pages use a parameter to indicate where the user should be sent if a transaction is successful. In this case, the attacker crafts a URL that will pass the application’s access control check and then forward the attacker to an administrative function that she would not normally be able to access. http://www.example.com/boring.jsp?fwd=admin.jsp
|
References
OWASP External |
| ← A9-Insufficient Transport Layer Protection | Top 10 Risks |
What's Next For Developers → |
