URL Redirection to Untrusted Site ('Open Redirect')
ID |
python.open_redirect |
Severity |
high |
Resource |
Injection |
Language |
Python |
Tags |
CWE:601, NIST.SP.800-53, OWASP:2013:A10, PCI-DSS:6.5.1 |
Description
URL redirection to untrusted site ('Open Redirect').
Open Redirect vulnerabilities occur when web applications dynamically construct URLs for redirection using user inputs, without proper validation or constraints. These vulnerabilities can be exploited by attackers to redirect users to phishing sites, steal personal information, or perform malicious actions.
Rationale
Attackers often mislead victims to visit a trusted site and redirect them to an alternate site trying to deceive the victim. This happens when a vulnerable application performs a redirect that concatenates untrusted input.
The attacker often encodes the URL in a way that it is difficult for the user to detect that it is at the wrong site.
In the malicious phishing site, typically mimicking the original site, threat actors may attempt to steal credentials, steal data, or perform other malicious actions.
Server-side forwards, even though they do not allow jumping to an external site, can be used by attackers to bypass the application’s access control checks and forward the attacker to an administrative function that is not normally permitted.
Here is a typical example of vulnerable Python code that leads to an Open Redirect:
from flask import Flask, redirect, request
app = Flask(__name__)
@app.route('/redirect')
def unsafe_redirect():
# Taking the URL from user input without validation
url = request.args.get('url')
return redirect(url)In the above example, the url parameter is taken from the request and used in a redirect call without validation. If an attacker controls the input, they might redirect users to an arbitrary and potentially malicious domain.
Remediation
If possible, avoid using (client-side) redirects and (server-side) forwards unless strictly necessary.
Otherwise, to mitigate Open Redirect vulnerabilities, apply these best practices:
-
Whitelist URLs: Restrict redirection targets to a predefined list of trusted URLs. Only allow redirections to URLs that have been explicitly marked as safe or necessary for application functionality. Another option is to use a map of allowed URLs or domains and use an indirect reference from the request to choose a valid redirect URL from the map.
-
Input Validation and Normalization: When constructing redirection URLs, validate and normalize the user inputs. Ensure the inputs conform to expected patterns, such as being a relative URL and not containing prohibited protocols or domains.
-
Avoid Using
sendRedirectfor User-Controlled Paths: Prefer using server-side routing logic that does not involve dynamic user-generated paths or URLs for redirection purposes. -
Security Awareness and User Warnings: Inform users of potential risks when following redirects, and warn them against entering sensitive information on unfamiliar sites.
-
Regular Security Audits and SAST: Conduct periodic security audits of the codebase and utilize SAST tools to detect and address Open Redirect vulnerabilities throughout the software development lifecycle.
By implementing these strategies, you can effectively reduce the risk of open redirect vulnerabilities, thereby safeguarding user interactions and maintaining the integrity of your application’s navigational logic.
This is the sanitized version of the previous example:
Configuration
The detector has the following configurable parameters:
-
sources, that indicates the source kinds to check. -
neutralizations, that indicates the neutralization kinds to check.
Unless you need to change the default behavior, you typically do not need to configure this detector.
References
-
CWE-601 : URL Redirection to Untrusted Site ('Open Redirect').
-
OWASP - Top 10 2021 Category A01 : Broken Access Control.
-
Unvalidated Redirects and Forwards Cheat Sheet, in OWASP Cheat Sheet Series.