Corgea LogoCorgea Security Hub

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

Learn about CWE-601 (URL Redirection to Untrusted Site ('Open Redirect')), its security impact, exploitation methods, and prevention guidelines.

What is URL Redirection to Untrusted Site ('Open Redirect')?

• Overview: URL Redirection to Untrusted Site ('Open Redirect') occurs when a web application uses user-controlled input to redirect users to an external site without proper validation, potentially leading to malicious exploitation.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by crafting a URL that redirects users to a malicious site, often tricking them into providing sensitive information.
  • Common attack patterns include phishing schemes where attackers disguise the malicious site as a legitimate one, potentially capturing user credentials or distributing malware.

• Security Impact:

  • Direct consequences of successful exploitation include users being redirected to harmful websites, leading to phishing, malware infections, or data theft.
  • Potential cascading effects involve reputation damage to the original site and loss of user trust.
  • Business impact can include legal liabilities, financial losses from fraud, and decreased user engagement due to loss of reputation.

• Prevention Guidelines:

  • Specific code-level fixes involve validating and sanitizing redirect URLs using a whitelist of trusted domains or relative paths.
  • Security best practices include avoiding the use of user-controlled data in redirection logic and implementing strict validation checks.
  • Recommended tools and frameworks include using security libraries that handle redirects safely and conducting regular security audits to identify and fix open redirect vulnerabilities.

Corgea can automatically detect and fix URL Redirection to Untrusted Site ('Open Redirect') in your codebase. Try Corgea free today.

Technical Details

Likelihood of Exploit: Low

Affected Languages: Not Language-Specific

Affected Technologies: Web Based

Phishing is a general term for deceptive attempts to coerce private information from users that will be used for identity theft.

Vulnerable Code Example

from flask import Flask, request, redirect

app = Flask(__name__)

@app.route('/redirect')
def unsafe_redirect():
    # Vulnerable code: directly using user input to perform a redirect
    target_url = request.args.get('url')  # Get the URL from user input
    return redirect(target_url)  # Redirects to the user-supplied URL without validation

Explanation:

  • Lines 14-16: The code directly uses user input from the query parameter url to perform a redirect. An attacker could exploit this by providing a malicious URL, causing unsuspecting users to be redirected to a phishing or harmful site.

How to fix URL Redirection to Untrusted Site ('Open Redirect')?

To fix the Open Redirect vulnerability, follow these steps:

  1. Whitelist URLs: Instead of allowing users to specify any URL, maintain a list of approved URLs or URL patterns and only allow redirections to those.
  2. Validation: Validate the user input to ensure it matches the expected format or is within the approved list.
  3. Error Handling: Provide a safe default action or error message if validation fails.
  4. User Confirmation: Optionally, ask users to confirm they want to be redirected, especially if the target is not internal.

Fixed Code Example

from flask import Flask, request, redirect, abort

app = Flask(__name__)

# Whitelist of allowed URLs for redirection
ALLOWED_REDIRECTS = {
    '/home': '/home',
    '/profile': '/profile',
    '/contact': '/contact'
}

@app.route('/redirect')
def safe_redirect():
    # Get the target path from user input
    target_path = request.args.get('url')  # Get the URL from user input
    
    # Validate the target path against the whitelist
    if target_path in ALLOWED_REDIRECTS:
        return redirect(ALLOWED_REDIRECTS[target_path])  # Redirect to the validated URL
    else:
        abort(400)  # Bad Request if the URL is not in the whitelist

Explanation:

  • Line 9: A dictionary ALLOWED_REDIRECTS is defined to store the whitelist of paths that are allowed for redirection.
  • Line 18: Retrieves the user input from the query parameter url.
  • Line 20: Validates if the user-provided URL is in the ALLOWED_REDIRECTS whitelist.
  • Line 21: If valid, redirects to the allowed URL.
  • Line 23: If the URL is not in the whitelist, responds with a 400 Bad Request, preventing untrusted redirects.

This approach ensures that only pre-approved URLs can be used for redirection, mitigating the risk of Open Redirect vulnerabilities.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-601: URL Redirection to Untrusted Site ('Open Redirect') and get remediation guidance

Start for free and no credit card needed.