-4

I have created a vulnerable Code for Open redirect vulnerability, but now I want to secure it. But unfortunately, I didn't find on google so decide to come here.,

So, this is my html file code, in which I provide the next parameter. 

<html>
<form action="/demo/userin2.php?next=http://somedomain.com" method="POST"></tr>



<tr><center><b><td>Username</b> <td><input type="text" name="username" value=""></td><br></tr>
<tr><b><td>Password </b> <td><input type="password" name="password" value=""></td><br></tr>
</td>
</tbody>
</table>
<input type="submit" name="go" value="go"></fieldset>
</center>
</form>
</html>

Now my userin2.php file is below:- 

<?php 
session_start();

?>
<html>
<style>body {
    background-color: #C0C0C0;
}
</style>
<center><img src="/dashboard/demo.jpg" width="500" height="100"></center>

<?php


$conn=mysqli_connect('localhost', 'sqltest', 'sqltest', 'sqltest') or die ("failed to connect to db". mysql_
$query = "SELECT Username, Password, userid FROM userinfo WHERE username=? AND password=?"; 


// MY PHP CODE RELATED TO DATABASE QUERY

echo "Good to see you again Mr. ".$Username;         // finally we are successfully fetch the row now its time to call its value like this. 
}
else{
echo "user not found";
}
?>
**<?php 
$redirect = $_GET['next'];
header("Location: " . $redirect);
?>**
</html>

I have highlighted the main part of my PHP file.

So that's all I have. Now How do I get secure it?

I hope I successfully explain my question NOW.

januu agrawal
  • 81
  • 2
  • 8

1 Answers1

2

The difference between an open redirect vulnerability and a non-vulnerable redirect is that the latter only allows redirects acceptable to the application. Which redirects are acceptable and how the validity is checked depend on the specific application. In some cases it might be some white listing using a regular expression, sometimes it might require a database lookup, sometimes the url parameter is protected against modification by using a HMAC and there are probably other cases.

In essence you first need to know and describe in detail what is considered a valid target for redirects in your specific application. Only then you can implement the required behavior in a secure way.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • hello Steffen, Actually what I am doing is I just create a test application for capturing the clear pictures of behind the attack. **So can you please edit my code to the secure code?** – januu agrawal Dec 29 '17 at 10:10
  • @januuagrawal: It is not clear from your question what are valid redirects in the context of your app. Without this information it is impossible to harden the code in order to make invalid redirects impossible. Also, SE is no "fix my code" site but instead provides help so that you can fix the code yourself. – Steffen Ullrich Dec 29 '17 at 10:18
  • Okay I am editing my question with full app code, – januu agrawal Dec 29 '17 at 10:22
  • Check it this time you got some deeper idea? – januu agrawal Dec 29 '17 at 10:34
  • @januuagrawal: The code dump does not help a lot. First, your HTML and PHP don't fit together (parameter `next` vs. parameter `url`). But worse, there is still nothing really in your question which clearly says what restrictions should be done to the redirect. One might maybe assume that you only want to allow a redirect to the parameter `next` you've set in the form. In this case you could use a HMAC to protect this parameter against modification by the user or have a fixed list of allowed redirect URL. Instead of dumping the code it might be better to describe the expected behavior. – Steffen Ullrich Dec 29 '17 at 11:35
  • Yeah! Now you get the point here. How can I get the fixed allowed URL? – januu agrawal Dec 29 '17 at 11:45
  • 1
    @januuagrawal: if you have a fixed URL for redirect simply ignore the `url` parameter, hard code this fixed URL in your PHP code and write this hard coded URL in the Location header. If you want to have more flexibility compute the [HMAC](https://secure.php.net/manual/en/function.hash-hmac.php) of this URL and some secret, add it as `next_hmac` or similar parameter, include the secret in your PHP code and verify there if the HMAC if `next` matches `next_hmac`. – Steffen Ullrich Dec 29 '17 at 12:26