13

Are open redirects a security concern? Google writes that: "An open redirect isn't a bug or a security flaw in and of itself—for some uses they have to be left fairly open." And Google's bounty program doesn't view it as a bug:

Some members of the security community argue that open redirectors are a security issue. The common argument in favor of this view is that some users, when presented with a carefully crafted link, may be duped into thinking that they will be taken to a trusted page - but will be not be attentive enough to examine the contents of the address bar after the redirection takes place.

Should open redirects be treated as bugs?

user389823
  • 625
  • 6
  • 11

4 Answers4

21

YES, and its an OWASP top 10 violation: OWASP A10 - Unvalidated Redirect. These are valuable for phishing and spam. Recently it was uncovered that spammers where exploiting Open Redirect vulnerabilities on US .gov websites for profit.

Sjoerd
  • 28,707
  • 12
  • 74
  • 102
rook
  • 46,916
  • 10
  • 92
  • 181
  • 5
    I lol'd so hard at that .gov redirect. Damn that's stupid. – Polynomial Oct 21 '12 at 12:04
  • @Rook, So are you are saying that all URL shorteners are vulnerable? See http://security.stackexchange.com/q/59517/2379 – Pacerier Jun 06 '14 at 16:12
  • @Pacerier URL shorteners are sometimes used in phishing attacks, but having a URL like https://paypal.com or https://chase.com would be more valuable. – rook Jan 19 '15 at 19:33
  • The link has moved to http://www.secureworks.com/resources/blog/spam-government-websites-abused-ongoing-spam-campaign/ – Caqu Dec 16 '15 at 21:14
1

Definitely

Hackers can exploit the trust users have on a website with open redirection. They can cause users to go to sites that they normally would not, these sites could potentially be malicious and install malware on the users computer.

Open redirection should be treated just like any other security bug.

CoderPE
  • 126
  • 1
  • 9
1

There is no reason for using redirects on the website if it's not a public redirector. You cant pass any user-made data into response header and obviously allowing to change Status to 301 or 302 and setting up Location is totally fatal.

For avoiding such issue, it should not happen upon Location field submitted by the user, but the field should be generated from the server, and the user is supposed to be identified in sessionid, and the user session should be stored on the server. And this is it.

Andrew Smith
  • 1
  • 1
  • 6
  • 19
-2

No, there are perfectly valid uses for such redirects like URL shortening services.

However one shouldn't use them just "because they can" in most cases there are better alternatives which should be preferred.

It should be regarded as undesirable and only used where that is the only method available.

ewanm89
  • 2,043
  • 12
  • 15
  • 2
    -1 This vulnerability can (almost) always be avoided. For instance you can use a session variable to store the URL. Read the prevention section on the OWASP A10 page. – rook Oct 21 '12 at 19:23
  • 1
    I stated that in my answer, it is very rare that one does need any such redirect, but there is the odd valid case. – ewanm89 Oct 21 '12 at 23:49
  • Just for an example, every link from google search is a redirect link. Oh, your browser might not show it in the status bar, but so google can track the click it is a link to https://www.google.com/url with a load of get parameters of where to end up going to. – ewanm89 Nov 25 '18 at 14:34