Unvalidated Redirects And Forwards

Unvalidated Redirect and Forwards

Overview of the Vulnerability

Unvalidated redirects and forwards occur when an application accepts user input that is not validated into the target of a redirection. This input causes a redirection to an external domain, manipulating a user by redirecting them to a malicious site. An open redirect was identified which can impact users' ability to trust legitimate web pages. An attacker can send a phishing email that contains a link with a legitimate business name in the URL and the user will be redirected from the legitimate web server to any external domain. Users are less likely to notice subsequent redirects to different domains when an authentic URL with a valid SSL certificate can be used within the phishing link.

This type of attack is also a precursor for more serious vulnerabilities such as Cross-Site Scripting (XSS), Server-Side Request Forgery (SSRF), Cross-Site Request Forgery (CSRF), or successful phishing attempts where an attacker can harvest users' credentials or gain users' OAuth access by relaying them through an Open Redirection, to a server they control (and can see the inbound requests from).

Business Impact

Unvalidated redirects and forwards can result in reputational damage for the business as customers' trust is negatively impacted by an attacker sending them to a phishing site to extract login credentials, or coercing them to send a financial transaction.

Steps to Reproduce

  1. Using a browser, navigate to: {{URL}}

  2. Copy and modify the URI so that the URL redirects to url=<http://www.bugcrowd.com/

  3. Submit this in a new browser window and you should be redirected to the Bugcrowd website.

Proof of Concept (PoC)

The screenshot below demonstrates the unvalidated redirect or forward executing:

{{screenshot}}

Guidance

Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed triage time and result in faster rewards.

For an unvalidated redirects or forwards, please provide instructions on how to navigate the target to the vulnerable request and execute the redirect. Evidence can be screenshots or the raw method-path-protocol from a HTTP request and the subsequent 200 response.

Do not redirect to an unapproved third party website. Successfully redirecting to https://bugcrowd.com/ is sufficient.

PreviousXSLT Server Side InjectionNextLack of Security Speed Bump Page

Last updated