External redirect

[Jake Howlett]

Hi, 

I am receiving External Redirect alerts and I do not understand the injection used.

I believed that an external redirect is when the user can be redirect away from the current domain.  

Therefore I cannot see how an injection of '309173191823934581.owasp.org' could redirect the user away from the domain without a prefix of 'https://'.

If I am missing something please let me know otherwise I would suggest removing this injection as I would class it as an internal redirect which is safe.

[Simon Bennetts]

Can you give us more details - we cant tell whats going on from the limited information you've given us.

Cheers,

Simon

[Jake Howlett]

After further investigation I have the a simple explanation and maybe solution to this problem. The problems is determining if a redirect is external or internal. So looking at the 302 response is the best way. This is what ZAP does and it sees the injection in the href and location header line. However this href is a relative path that maps to an internal file and therefore not a External redirect.

Injection

8093224239905260337.owasp.org

302 response

header

Location: 8093224239905260337.owasp.org?a=1&b=2

body

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="8093224239905260337.owasp.org?a=1&amp;b=2">here</a>.</body>

'http://8093224239905260337.owasp.org' is another injection that ZAP uses and this does maps to an absolute and external path.

So I am wondering if am missing something with the first injection to understand what vulnerability I have if there is one.

Regards,

Jake

[kingthorin+owaspzap]

It still seems unsafe to me.

Your app is going to assemble a URL like http://myapp.host.com/app/8093224239905260337.owasp.org?a=1&b=2 which will result in a 404, the user looks at the URL and thinks "oh okay they tried to redirect me but assembled the URL incorrectly somehow. Edit it, hit enter, boom badness ensues"

I do agree we could probably check for inclusion of scheme to ensure it isn't be handled relatively. (Or maybe on alert on instances without scheme at a specific Alert Threshold.)

[kingthorin+owaspzap]

I also wonder if some browsers might try to "fix" the missing scheme (haven't tested, just pondering)

[Jake Howlett]

Ok that I can understand and yes I do wonder if some browsers would construct the URL differently so I can see the reason for using this injection.

My one suggestion would be then to do the tests that use an absolute URL (e.g. http://8093224239905260337.owasp.org) first and raise this as a high priority (which is the current level) alert and then move onto the less dangerous relative paths 8093224239905260337.owasp.org which would raise a lower priority as it is more of a secondary alert that a direct vulnerability.  

I say this because I have been looking at this alert which was raised with the relative variant and did not deem it a problem however if it did the http variant first then I would have be able to see the direct external redirect vulnerability and the injection that would be the biggest problem to my website.

Regards,

Jake

[kingthorin+owaspzap]

I'll look at making some adjustments to this scan rule.

[kingthorin+owaspzap]

To be clear the payloads are in the order they are due to prioritization and seeming effectiveness. So it's not that one is absolute while another is relative. It's with and without the scheme portion of the URL. At some point when the original author of the scan rule did an analysis the without scheme payload was more effective.

What I'm going to try to do is check the response for the payload and then attempt to determine if it's been used with scheme in the context in which it appears.

[Simon Bennetts]

Its worth noting that wavsep has a set of tests for redirects, so it would be worth testing any changes against that just to make sure they dont introduce any false negatives.

Cheers,

Simon

[kingthorin+owaspzap]

That's fair.