0

I have this URL that I sometimes use to redirect my users. It looks like:

https://mywebsite.com/?redirectTo=

However, I'm checking if the domain part of the parameter ends with:

google.com
mydomains.com

and some other domains I consider valid.

So. Can someone can and hack my website if I have those checks in place?

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
Stephen H. Anderson
  • 111
  • 3
  • If you just check the prefix the following is possible: `https://mywebsite.com/?redirectTo=https://google.com.attacker.net/`. But if this results only in the redirect this is not really a hack of the website but only a misuse using an open redirect vulnerability. – Steffen Ullrich Mar 17 '19 at 18:11
  • Steffen, sorry, I'm checking the suffix, not the prefix. I wrote it wrong in the question. I'm checking if the domain part ends with mywebsite.com (and some other valid domains) – Stephen H. Anderson Mar 17 '19 at 18:26
  • 2
    It should check for `.google.com$` + `^google.com$`, not `google.com$` also matching `attackersgoogle.com`. – Esa Jokinen Mar 17 '19 at 18:38

1 Answers1

3

While it is impossible to tell as you have not supplied any source code. I would say, maybe, if you are just checking the website as a sub-string to see if it is valid, have you considered the following?

There are many ways to get around the restriction of just validating the end of a string. It would be much better if you whitelist the exact domains that are accessible rather than relying on regex.

meowcat
  • 1,349
  • 1
  • 6
  • 16