-2

On the website I'm building users can submit links to various of their personal page: YouTube accounts, Twitter, Facebook and a lot more. When he does so he furnishes the ID to his account. For example if the user freddiew wants to link his YouTube account, he just enter freddiew in the field and a link to https://www.youtube.com/user/freddiew will appear on his page.

I do it this way to prevent fishing. I'm wondering if there are things I need to worry about that I didn't think of? Better safe than sorry.

To clarify on the website I'm making an user can give his Steam id for example.

  1. He types his Steam ID: louis.
  2. On his profile page a link will appear : http://steamcommunity.com/id/Louis.

My question is: is there a way for the user to redirect someone by adding some special string? In the same fashion you can add &direction=right to add a parameter, is there a string that don't know about that can redirect the user like &redirect=true&url=myphishingsite.com? I doubt it but I wanna be sure.

The reason I'm paranoid is because some of these sites I'm linking to are notorious for having people fall for phishing on them. I wanna save my users that hassle.

For example Facebook didn't sanitize an input that would redirect . It is fixed now but it did happen. So should I regex the input? If so, what char should I not allow?

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
Ced
  • 179
  • 2
  • 10
  • 1
    When you enter URL, you will be aware of what you are typing. Also, you won't attempt a bogus URL instead and there are very lesser chances of you to get into trouble. So, when there is a safe way, why to worry and look for profile by typing in the Id? Also you have secure login to these accounts. – Arun Anson Jan 06 '16 at 04:33
  • Ced - Have you created a website that has this functionality? I guess that's what you're saying but want to double-check. – Neil Smithline Jan 06 '16 at 05:06
  • What phishing attacks are you worried about? – Neil Smithline Jan 06 '16 at 05:08
  • @ArunAnsonArouje I don't understand your comment. I might have worder myself wrongly though. I have created a site that has this functionality where user can type their profile id for say steam profile. With that id I create a link on their personal page where other users that visit their page can click on the link. Steam is notorious for having a lot of fishing sites. – Ced Jan 06 '16 at 07:39
  • @NeilSmithline Yes that's it; In reality my only worry would be if that a special string that I didn't know about could potentially redirect the user to another site (which I doubt but I wanna be sure). Say I have https://www.youtube.com/user/ and the rest is typed by the user, is there a way for someone who has to add to this url to make it redirect somewhere else ? That's my only worry tbh. Like the only thing I could think of is if one of those sites accept a param and redirect to that param, but that's unlikely. – Ced Jan 06 '16 at 07:42
  • @ced, I got you wong. I hope you are aware of what is phishing. It's basically another site that looks similar like your site and is made to trap the users of your site. I don't understand what is the relation between this URL and phishing. May be you could bring clarity to the question. People are down voting it. – Arun Anson Jan 06 '16 at 08:02
  • @ArunAnsonArouje is it clear now ? – Ced Jan 06 '16 at 08:12
  • I'm voting to close this question as off-topic because it would entirely depend on the implementation of your system, not on inherent security issues. – Matthew Jan 06 '16 at 09:40
  • @Matthew It has absolutely nothing to do with my implementation. It is a legitimate question... – Ced Jan 06 '16 at 09:45
  • If you aren't sanitizing data shown on your website, it is entirely to do with your implementation. You should sanitize special characters and so on before displaying - don't worry about the third party sites, since it's effectively their job to do the same. If you don't, your site is likely to cause problems itself. – Matthew Jan 06 '16 at 10:48
  • @Matthew I'm using jsf with jpa where with both sanitizing is built in. My question was about the third party site as you mentioned. Not XSS injections and such. – Ced Jan 06 '16 at 11:00
  • You have no control over those sites though - if Steam made a function tomorrow that takes everything after an `r` as a redirection target (I've seen `/r/*` before, so it would only be a typo away). All you can do is, as @WhiteWinterWolf said, filter on your side and hope that the other sites do the same... – Matthew Jan 06 '16 at 11:17

2 Answers2

3

Your real problem, as I understand it, is:

How can I prevent a user to put unauthorized characters which could open some security issues when I display the URL as a clickable link?

Your only and reliable solution is filtering.

In particular, the language you use to develop this website should offer you a function to filter the user's provided ID so it is suitable to be put as a URL CGI parameter (you must filter when building the output URL, not try to filter the value when storing it in the database).

For instance, in PHP, this function would be urlencode().

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
1

You don't need to worry about it as there won't be a function to make your user redirect to another site inside the SNS site.

Arun Anson
  • 76
  • 4
  • By SNS you mean social networking service ? Thanks. Though there was a function to redirect on facebook at some point in time. I guess if there is that on their website it's their own fault anyway. Upvoted, I'll wait a bit to see if there are other answers before accepting. – Ced Jan 06 '16 at 09:54