Sunday, May 8, 2022

Unvalidated Redirects - OWASP Juice Shop

on   with No comments

 

Allowlist Bypass

 

 Category - Unvalidated Redirects.


Sometimes organizations can allow redirection for selected URLs. An Adversary can craft a URL

and redirect it to an intentional website. By manipulating the URL value to a malicious site, an 

attacker may successfully launch a phishing scam and steal user credentials. The open redirection 

vulnerability can affect an organization's rating and user trust.

 

Exploitation part - 

 

For understanding this vulnerability, we are going to use the owasp juice shop web application. 

The application listed some URLs for redirection. We are going to craft the URL and redirect it 

to another target.

 

Step 1 - Open Juice shop and log in with credentials.  Now right click on the application and

click on inspect and then click on the main.js under the source tab. You will get JavaScript code

in that code if we search for a URL or redirect parameter we will get some URLs that are allowed 

to redirect.

 

 


Step 2 - After findings URLs, we copy that URL and test for redirection and you will notice that

the URL is successfully redirecting on the given URL.


Figure#2 - Tested given URL for redirection. 


Step 3 - If we tried to redirect somewhere else we will observe that the web application

show error like 406 error: unrecognized target URL for the redirect.


Figure#3 - 406 - error.



Step 4 - Now let’s craft the URL by including allowed URLs e.g - 

http://localhost:3000/redirect?to=https://google.com?url=http://shop.spreadshirt.de/juiceshop 

and observed that we successfully redirect to google.com.


We successfully redirect to the google website because the web application is only hacking the 

provided URL in the list of allowed URLs, If it is a part of the allowed then it will redirect the URL.

Figure#4 - successfully redirect on crafted URL.




Mitigation / Precautions :


 - Web applications should avoid redirection functionality.


 - If some listed URLs are allowed to redirect then the web application should strictly validate the 

URL input from the user. 


- Web applications should strictly handle errors because whenever an error occurs attackers 

can craft the URL by observing the errors.


- Web applications should only allow redirection parameters that are stored on the server and 

allow redirecting with particular IDs.


Thank You!! Happy Learning :) Comments are always welcome.

 

 

 

 

Share:

0 comments:

Post a Comment