6

Can anybody name all the risks of the following scenario:

User visits a page, but his session is expired, so he is auto-redirected to login page with his previous page and params added as a single parameter, encoded using PHP's urlencode():

https;//www.example.com/login.php?previous_page=%2Fdashboard.php

When logged in, autoredirect to:

https;//www.example.com/dashboard.php

I am currently aware of two:

  1. Manipulated links that contain external domain names, for example: https://www.example.com/login.php?previous_page=http%3A%2F%2Fxss.com%2Fmalware.php
  2. Manipulated links that contain scripts, for example: https://www.example.com/login.php?previous_page=%3Cscript%3Ealert(document.cookie)%3B%3C%2Fscript%3E

Currently preventing these by only accepting the value of previous_page param if it starts with %2F (encoded /). Are there more risks to catch?

Slava
  • 285
  • 1
  • 2
  • 9

1 Answers1

3

Someone could pass a link to //xss.com/malware.php, by encoding it as https://www.example.com/login.php?previous_page=%2F%2Fxss.com%2Fmalware.php. To prevent this, you could pass the path from the site root as the parameter, so you would pass only dashboard.php. Then assemble the full link on the server side.

Lily Chung
  • 968
  • 1
  • 9
  • 13
  • Thanks for the tip. Typing `//xss.com` in browser does indeed open `http://xss.com/`. But during the actual testing the vulnerability doesn't exist. The user is redirected to `https://www.example.com//xss.com/`, which gives 404. – Slava Aug 30 '14 at 20:10
  • @Alph.Dev Interesting. How are you doing the redirect? – Lily Chung Aug 30 '14 at 22:00
  • Nothing special. `header('Location: '. $redirect_url);` Beforehand `$redirect_url` is decoded using `urldecode()` and checked for syntax. – Slava Aug 30 '14 at 22:42
  • @Alph.Dev In my version of Firefox, I get redirected to xss.com by a response containing `Location: //xss.com/`. You can test this at http://httpbin.org/redirect-to?url=//xss.com/ – Lily Chung Aug 30 '14 at 23:04
  • I've created a new empty page with only hardcoded `header('Location: //xss.com/');` It redirects to `https://www.example.com//xss.com/`. FF31, FF34.0a1, IE11, Chrome 36... – Slava Aug 31 '14 at 09:49