POST Based

POST-Based Open Redirect

Overview of the Vulnerability

Open redirects enable an attacker to manipulate a user by redirecting them to a malicious site. A POST-based open redirection was identified which can impact users’ ability to trust legitimate web pages. An attacker can send a phishing email that contains a link with a legitimate business name in the URL and the user will be redirected from the legitimate web server to any external domain. Users are less likely to notice subsequent redirects to different domains when an authentic URL with a valid SSL certificate can be used within the phishing link.

This type of attack is also a precursor for more serious vulnerabilities such as Cross-Site Scripting (XSS), Server-Side Request Forgery (SSRF), Cross-Site Request Forgery (CSRF), or successful phishing attempts where an attacker can harvest users’ credentials or gain users’ OAuth access.

Business Impact

POST-based open redirects can result in reputational damage for the business as customers’ trust is negatively impacted by an attacker sending them to a phishing site to extract login credentials, or coercing them to send a financial transaction.

Steps to Reproduce

  1. Using a browser, navigate to: {{URL}}

  2. Open the attached HTML file in the target browser and follow the prompts

  3. Submit this in a new browser window and you should be redirected to the Bugcrowd website

Proof of Concept (PoC)

The screenshot below demonstrates the POST-based open redirect executing:

{{screenshot}}

Recommendations(s)

The application should avoid incorporating user-controlled data within redirect targets. This can be achieved by removing the redirect function and replacing it with direct links to the appropriate URL. Additionally, a server-side allow list of trusted URLs can be used as permitted redirect URLs that the website can link to.

It is recommended best practice that all redirects go through an intermediate disclaimer page that notifies the user that they are navigating away from the website.

For more information, see Open Web Application Security Project (OWASP): https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html

PreviousHeader BasedNextTabnabbing

Last updated