10

While browsing for Node.js packages, I came across this one. It's purpose is to redirects crawlers away from a site, and by default it Rickrolls them. I find the idea amusing, but is it a good idea to do this to intruders, given that unvalidated redirects are a security risk?

Philip Rowlands
  • 1,779
  • 1
  • 13
  • 27
  • 3
    I don't want to burst your bubble but the chance that the owners of these scanners actually notice that you've redirected them to a Rickroll video is low. These guys are interested about the servers they've managed to infect, not what happened after an unsuccessful attempt. – Simon Jan 13 '16 at 19:19
  • While amusing, I suspect this isn't very effective. Automated searches from bots, quite possibly running on zombies, don't really care where you redirect them. In fact, I would suspect that they simply ignore the redirect and determine that the requested URL isn't vulnerable. – Neil Smithline Jan 13 '16 at 20:55
  • 3
    [Imagine if the intruder algorithm comes across a false positive.](http://sayforward.com/sites/default/files/ext_image/5189_944d.gif) – MonkeyZeus Jan 13 '16 at 21:06
  • 2
    The biggest problem I see with this is that rickrolls are so horribly dated I doubt even the Garfield strip would touch them at this point. – Superbest Jan 13 '16 at 23:18

2 Answers2

17

Unvalidated redirects do not necessarily apply here. An unvalidated redirect is something more along the lines of an attacker being able to send a victim to a destination of the attacker's choosing. If you read the example on the OWASP page you linked at the bottom, you will see that the attacker crafts a URL that can be sent to a victim using social engineering or otherwise. A static redirect coming from a server is a completely different scenario.

While rickrolling an attacker may seem amusing, legitimate users would be quite confused if they are given a link to your site which automatically rickrolls them, decreasing the user's trust.

Jason Higgins
  • 647
  • 4
  • 8
  • We're not using PHP, so it wouldn't have been any use to us anyway. But your paragraph on usability is a very, very good point. – Philip Rowlands Jan 13 '16 at 19:58
2

All of the examples in the page you link are talking about cases where the user supplies all or part of the URL to be redirected to - unless I'm missing something about the Node.js package you linked, the parameter is supplied in the server configuration, so it is not vulnerable to exploits related to parameters passed by an attacker. Assuming no malicious user has control of your site (in which case, there are a myriad ways they can force a user to redirect to a site they control anyway), I don't see how this could introduce a vulnerability. That said, you will need to be very careful to only give it URLs which users would never hit legitimately or through mistaken typing.

IllusiveBrian
  • 343
  • 1
  • 6