How safe is redirecting to another site?

Question

Lets say I have a website at https://example.com/test. Whenever someone accesses this site, I want to just simply redirect them to https://example.com/Test.

Are there any possible vulnerabilities here? Or is this method safe since all I am doing is redirecting from one secured site to another?

Is it just one redirect from one site to another, or are you hinting at some sort of rule for how you redirect depending on upper and lower case? — Anders, Apr 12 '18 at 09:16
You ask about "another site", but this generally looks like the same site. — chrylis -cautiouslyoptimistic-, Apr 12 '18 at 15:15
You ask "another site", but give same-site examples. Can you clarify which you mean? — Soron, Apr 12 '18 at 15:32
To expound on @chrylis and EthanKaminski's comments, the term "site" is generally used to refer to a domain, while "page" refers to a particular address. So `https://example.com/test` and `https://example.com/Test` are different webpages on the `https://example.com` site. — Acccumulation, Apr 12 '18 at 18:13
You may be interested in this method: [`history.replaceState(null, document.title, 'Test');`](https://developer.mozilla.org/en-US/docs/Web/API/History_API#The_replaceState()_method) — Patrick Roberts, Apr 13 '18 at 02:26
@Acccumulation: While this might be nitpicky, I have the gut feeling it needs clarification: `https://example.com` is not a [domain](https://en.wikipedia.org/wiki/Domain_name), but a [URL](https://en.wikipedia.org/wiki/URL) (or more generally a URI, which is a superset of URLs and URNs). And I am not sure if one can say that "(web)site" is used to refer to the startpage, a.k.a. [homepage](https://en.wikipedia.org/wiki/Home_page). Even further, whole websites (and arbitrary many of them) may be located on any URL, not just the one featuring nothing after the slash behind the domain. — phresnel, Apr 13 '18 at 13:57
@phresnel URLs are used to identify domains. I didn't say that "site" refers to the homepage; "https://example.com/test and https://example.com/Test are different webpages on the https://example.com site." clearly means that the site is not just the homepage but other pages as well. — Acccumulation, Apr 13 '18 at 14:44
@Accumulation: `URLs are used to identify domains`: This does not make more sense than "Cars identify license plates" or "Bicycles are mounted to brakes". A domain is just one possible part of a URL. In oversimplified form, a URL goes like this: `[scheme]://[domain]/[path]` (for full definitions, see URLs provided earlier). — phresnel, Apr 13 '18 at 15:46

score 30 · Answer 1 · edited Apr 12 '18 at 22:17

30

/test and /Test are both hosted on example.com … so it's just a page redirect not a domain redirect … this is a non-issue.

People redirect like this all the time, for instance redirecting from HTTP to HTTPS is pretty much industry standard at this point.

edited Apr 12 '18 at 22:17

unor

1,769
1
19
38

answered Apr 12 '18 at 06:16

CaffeineAddiction

7,517
2
20
40

1

The exception would be if a domain has been subdivided. E.g. user1 has control over `example.com/user1` and subdomains, user2 has control over `example.com/user2` and subdomains, etc. And theoretically, if the string "https://example.com/test" is generated dynamically, that could open an injection vulnerability. – Acccumulation Apr 12 '18 at 18:18
maybe? but a redirect doesnt automatically grant you permission ... if I get redirected from /index.html to /superTopsecretKittys.html ... im still going to get a `401 Unauthorized` – CaffeineAddiction Apr 12 '18 at 20:14
Yes, but it raises phishing issues. If I can get do an injection attack that gets a website to redirect users to my website, then I be like "Whoops, there's an error, you need to re-enter your credentials". – Acccumulation Apr 12 '18 at 20:26
5

thats a completely different issue ... if you inject something into someones website ... they have bigger problems then a simple redirect. – CaffeineAddiction Apr 12 '18 at 22:21
I wouldn't mention HTTP to HTTPS here. There *are* some weak spots in doing so that aren't relevant to the OP's description. – jpmc26 Apr 13 '18 at 08:42
As an aside, redirecting from HTTP to HTTPS has a lot more considerations than a more "standard" redirect. You're potentially very vulnerable to SSL strip and if you're doing such a redirect, you almost certainly want to look into HSTS preload and the weaknesses of that method. Mind you, even with HSTS, you're potentially vulnerable to SSL strip with a look-a-like domain... :/ – Kat Apr 17 '18 at 19:01

score 18 · Answer 2 · answered Apr 12 '18 at 06:55

Implemented correctly, there are no issues with this.

There are two things you should look out for (I assume that test is not static here, but user supplied, so you eg want to upper-case every path):

Open Redirect: If your redirect is implemented incorrectly, it might be possible for an attacker to redirect outside of your domain, which could be used in phishing attacks
CSRF: If your CSRF protection is only a simple referer check (which isn't recommended), and if you have state-changing GET requests (which also is not recommended), those may be possible to exploit, depending on your implementation of the redirect mechanism

score 9 · Answer 3 · edited Apr 16 '19 at 14:06

Redirecting users to different page or domain is a normal practice followed by many developers (even MNC's including FB, fb.com redirects to facebook.com). It's no harm if you try to redirect requests in a secure way.

You might want to check OWASP Cheat Sheet for Unvalidated Redirects and Forwards (Also called Open Redirection). This document provides to secure ways to redirect URL in multiple programming languages.

score 1 · Answer 4 · answered Apr 12 '18 at 09:48

As far as hostname remains same and your user trust it. It should not be a problem.

This sort of redirection are common across internet and help to provide a better user experience.

For instance:

you have a resource at https://testwebsite.com/Test but due to some typo or developer's mistake it is written as https://testwebsite.com/test. The redirection will help user to see an appropriate file instead of seeing a 404 file not found error or Internal server error.

score -4 · Answer 5 · edited Apr 12 '18 at 17:06

Redirect within the same domain - no risk. (because your domain is trusted)

Example: https://domain.com/login redirect to https://domain.com/dashboard
Redirect to third party website is medium severity risk if you are leaking sensitive data like access_token, secret keys to the third party website.

Example: https://domain.com/redirect_to_fb redirect user to https://fb.com
Attacker controlled redirect leads to:

a. Phishing https://domain.com/login?redirect_to=http://evil.com

b. Cross Site Scripting (XSS) issue: https://domain.com/login?redirect_to=javascript:alert(document.cookie)

c. Leaking tokens Example: https://domain.com/login?redirect_to=https://attackerdomain.com Example: https://r0rshark.github.io/2015/09/15/microsoft/

d. Content Security Policy bypass

e. Referrer check bypass

f. URL whitelist bypass

g. Angular ng-include bypass

If an attacker is able to control the redirect then it's a serious issue.

Sadly the edit does not improve the answer. – Bent Apr 12 '18 at 18:31 — Bent, Apr 12 '18 at 18:31

How safe is redirecting to another site?

5 Answers5

For instance: