0

I'm working on a site where users can input URLs.

The URLs should point to sites where you can buy an item (for birthday/special event/...)

It also sends out mails to e-mail addresses the user provides.

Now, I would like to assess how unsafe this is and to mitigate the unsafeness if possible. (It's a hobby project, if it's too unsafe I'll abandon it).

I'm mostly concerned with the URLs.

I can imagine that it isn't impossible to find someplace in an online store where a redirect is issued (and where an attacker could inject a custom URL).

Is it safe to only accept URLs (given on my site) that respond with an http code 200? (in other words, does every redirect which is not issued by javascript only possible if the http return code is different from 200?)

schroeder
  • 123,438
  • 55
  • 284
  • 319
MadBoomy
  • 115
  • 4

1 Answers1

2

does every redirect which is not issued by javascript only possible if the http return code is different from 200?)

You have HTTP redirects with status code 30x. Then you have script based redirects. And then you have refreshes, which can be either inside the HTTP header or inside the HTML, see here for examples for both variants.

Apart from that - just because a site returned status code 200 once you cannot assume that it will return this code forever and add it to the list of URL's on your site.

And even if a site returns 200 it might embed malicious contents, currently or maybe in the future or only for specific visitors.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Could you assume big retail sites are handling this kind of attacks properly? – MadBoomy Feb 15 '18 at 08:50
  • 1
    @Bamboomy: no, you cannot assume this. Many big companies had security problems in the past. – Steffen Ullrich Feb 15 '18 at 08:52
  • ok, thanks for your answer, I'm not happy with it, but I'm not working on a site which is an easy target to hackers anymore :-) thanks for your swift response :-) all of the best, S. – MadBoomy Feb 15 '18 at 08:54