Security testing for unvalidated redirects and forwards
Security expert John Overbaugh gives security testers the information they need in order to ensure the Web application code that they’re responsible for is protected.
The Open Web Application Security Project (OWASP) top ten Web application vulnerabilities list includes an attack termed “Unvalidated Redirects and Forwards.” Continuing in a series of articles on how to test for top ten vulnerabilities, this article gives security testers the information they need to understand unvalidated redirects and forwards and how to test for them.
What are unvalidated redirects and forwards?
As websites are developed, enhanced and modified, old site functionality is frequently redirected to new URLs. As sites introduce support requirements for various platforms, requests are frequently redirected to applications catering to non-standard form factors. These redirects and forwards are a benefit to the user because they direct the user to improved functionality without requiring user input. They can, however, serve as an attack vector for malicious users. Very often, redirects and forwards are programmatically built based on user input; for instance, a request for the “myapp” portion of a site may be redirected when a mobile browser is detected. That redirect is often built using a request parameter, as in the example below:
In this example, the request is redirected via the \myapp\redirect.jsp functionality. The query string parameter of the requested URL is passed into the redirect function. The redirect function is often implemented in a secure manner—it simply issues a redirect based on the parameter, without any validation—which could look something like this:
How can this be used for malicious purposes? Hackers can easily leverage a redirect like this to launch a cross-site scripting or drive-by download attack. By sending a user of the Web application link like this:
The hacker can trick the user into clicking what appears to be a valid link (it’s linking to www.mysite.com), but which results in sending traffic to the hacker’s malicious site.
Testing for unvalidated redirects
As a tester, you have a number of responsibilities. One of the greatest is ensuring the security of the Web application you test. Your first job in testing unvalidated redirects and forwards is to detect them in your application. There are four ways to accomplish this:
- Automated code scanning with security-aware source code analysis tools
- Automated detection with website spidering or crawling tools
- Manual code scanning
- Manual testing
Most second-generation code scanning tools (of which few open source solutions exist; most are commercial products) do a great job of detecting unvalidated redirects. Using a tool like this can reduce the effort required by testing. If a code analysis tool isn’t available, a site crawling tool like Xenu, or even a quickly-assembled Python script, can be used to make requests. As requests are made, the tool should categorize responses based on the server response code. Any request which results in a “300” HTTP response code is generally a redirection. Once the automated spider is complete, it’s a simple task to filter out all requests which resulted in a 300 HTTP response—you now know where to focus your manual testing efforts.
The manual discovery process is obviously more intensive. Manually reviewing source code generally requires a working knowledge of the language in which the application has been programmed. Most development environments include a search function, which reduces the scope of effort somewhat. Simply searching for “sendRedirect” can help you uncover instances in site source code where redirects are being performed. Remember to keep your manual code review to small, manageable chunks – in my experience, productivity plummets after four consecutive hours of manual code review, and it begins to drop after just two hours.
Finally, manually spidering the site is an option – not one I advise, given that there are so many open source tools, but there may be a valid reason to take this approach. In that case, your test would be to look at all requests, keeping an eye out for application functionality which results in a redirect. To manually spider a site requires you to click on every link. The intensive work in this effort comes because Ajax-enabled sites often execute requests behind the scenes; you will need an interception proxy like Burp Suite or WebScarab to view and track requests in Ajax applications.
Once you understand where your application performs redirection, it’s a simple task to detect redirection vulnerabilities. Examine the feature set to understand the intended scope of redirection (most redirects are intended to be within the site, or at least within a property owned by the organization). Test redirection with GET and POST parameters which fall outside of the scope. If the redirect attempts are successful, you likely have a vulnerability.
Note that a vulnerability’s severity will be related to the access permissions applied to the redirect. If a redirect can only be performed when a user is logged in, it is still a security vulnerability. The severity is lower because the user must have an active account and an active session (or stored site credentials).
Recognizing secure redirects
A secure redirect is one in which user input is limited, filtered or validated to include a small list of acceptable parameters. Several techniques exist to secure redirects, including: 1) validating all redirects fall within a pre-defined scope prior to sending the redirect response; 2) limiting user input to paths within the application; 3) mapping the input to a table of valid URLs or 4) limiting user input to portions of a URL, and building the URL programmatically by controlling the base URL and portions of the file path.
As you test, check the redirect result to ensure one of the four methods above is being implemented to protect your site’s users.
Testing for redirects and forwards is one of the many challenges that a tester faces. Fortunately, good tools and techniques exist to help limit the required effort. As you tighten your Web application, your users will benefit from a more secure experience, and you’ll sleep better at night too.
Follow us on Twitter at @SoftwareTestTT and let us know what you thought of this article.