CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
Low
Draft
2007-05-07
00h00 +00:00
00h00 +00:00
2024-11-19
00h00 +00:00
00h00 +00:00
Notifications for a CWE
Stay informed of any changes for a specific CWE.
Name: URL Redirection to Untrusted Site ('Open Redirect')
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
General Informations
Background Details
Phishing is a general term for deceptive attempts to coerce private information from users that will be used for identity theft.Modes Of Introduction
Architecture and Design : OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.Implementation
Applicable Platforms
Language
Class: Not Language-Specific (Undetermined)Technologies
Class: Web Based (Undetermined)Common Consequences
| Scope | Impact | Likelihood |
|---|---|---|
| Access Control | Bypass Protection Mechanism, Gain Privileges or Assume Identity Note: The user may be redirected to an untrusted page that contains malware which may then compromise the user's machine. This will expose the user to extensive risk and the user's interaction with the web server may also be compromised if the malware conducts keylogging or other attacks that steal credentials, personally identifiable information (PII), or other important data. | |
| Access Control Confidentiality Other | Bypass Protection Mechanism, Gain Privileges or Assume Identity, Other Note: By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam. The user may be subjected to phishing attacks by being redirected to an untrusted page. The phishing attack may point to an attacker controlled web page that appears to be a trusted web site. The phishers may then steal the user's credentials and then use these credentials to access the legitimate web site. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance. |
Observed Examples
| References | Description |
|---|---|
CVE-2005-4206 | URL parameter loads the URL into a frame and causes it to appear to be part of a valid page. |
CVE-2008-2951 | An open redirect vulnerability in the search script in the software allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL as a parameter to the proper function. |
CVE-2008-2052 | Open redirect vulnerability in the software allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the proper parameter. |
CVE-2020-11053 | Chain: Go-based Oauth2 reverse proxy can send the authenticated user to another site at the end of the authentication flow. A redirect URL with HTML-encoded whitespace characters can bypass the validation (CWE-1289) to redirect to a malicious site (CWE-601) |
Potential Mitigations
Phases : ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Use a list of approved URLs or domains to be used for redirection.
Phases : Architecture and Design
Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page.
Phases : Architecture and Design
When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
For example, ID 1 could map to "/login.asp" and ID 2 could map to "http://www.example.com/". Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability.
Phases : Architecture and Design
Ensure that no externally-supplied requests are honored by requiring that all redirect requests include a unique nonce generated by the application [REF-483]. Be sure that the nonce is not predictable (CWE-330).
Phases : Architecture and Design // Implementation
Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.
Many open redirect problems occur because the programmer assumed that certain inputs could not be modified, such as cookies and hidden form fields.
Phases : Operation
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth.
Detection Methods
Manual Static Analysis
Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.Effectiveness : High
Automated Dynamic Analysis
Automated black box tools that supply URLs to every input may be able to spot Location header modifications, but test case coverage is a factor, and custom redirects may not be detected.Automated Static Analysis
Automated static analysis tools may not be able to determine whether input influences the beginning of a URL, which is important for reducing false positives.Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)Effectiveness : High
Automated Static Analysis - Binary or Bytecode
According to SOAR, the following detection techniques may be useful:
Highly cost effective:
- Bytecode Weakness Analysis - including disassembler + source code weakness analysis
- Binary Weakness Analysis - including disassembler + source code weakness analysis
Effectiveness : High
Dynamic Analysis with Automated Results Interpretation
According to SOAR, the following detection techniques may be useful:
Highly cost effective:
- Web Application Scanner
- Web Services Scanner
- Database Scanners
Effectiveness : High
Dynamic Analysis with Manual Results Interpretation
According to SOAR, the following detection techniques may be useful:
Highly cost effective:
- Fuzz Tester
- Framework-based Fuzzer
Effectiveness : High
Manual Static Analysis - Source Code
According to SOAR, the following detection techniques may be useful:
Highly cost effective:
- Manual Source Code Review (not inspections)
Effectiveness : High
Automated Static Analysis - Source Code
According to SOAR, the following detection techniques may be useful:
Highly cost effective:
- Source code Weakness Analyzer
- Context-configured Source Code Weakness Analyzer
Effectiveness : High
Architecture or Design Review
According to SOAR, the following detection techniques may be useful:
Highly cost effective:
- Formal Methods / Correct-By-Construction
Cost effective for partial coverage:
- Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)
Effectiveness : High
Vulnerability Mapping Notes
Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Related Attack Patterns
| CAPEC-ID | Attack Pattern Name |
|---|---|
| CAPEC-178 | Cross-Site Flashing An attacker is able to trick the victim into executing a Flash document that passes commands or calls to a Flash player browser plugin, allowing the attacker to exploit native Flash functionality in the client browser. This attack pattern occurs where an attacker can provide a crafted link to a Flash document (SWF file) which, when followed, will cause additional malicious instructions to be executed. The attacker does not need to serve or control the Flash document. The attack takes advantage of the fact that Flash files can reference external URLs. If variables that serve as URLs that the Flash application references can be controlled through parameters, then by creating a link that includes values for those parameters, an attacker can cause arbitrary content to be referenced and possibly executed by the targeted Flash application. |
NotesNotes
Whether this issue poses a vulnerability will be subject to the intended behavior of the application. For example, a search engine might intentionally provide redirects to arbitrary URLs.References
REF-483
Exploitable Redirects on the Web: Identification, Prevalence, and DefenseCraig A. Shue, Andrew J. Kalafut, Minaxi Gupta.
https://www.cprogramming.com/tutorial/exceptions.html
REF-484
Open redirect vulnerabilities: definition and preventionRuss McRee.
http://www.net-security.org/dl/insecure/INSECURE-Mag-17.pdf
REF-485
Top 25 Series - Rank 23 - Open RedirectJason Lam.
http://software-security.sans.org/blog/2010/03/25/top-25-series-rank-23-open-redirect
REF-45
OWASP Enterprise Security API (ESAPI) ProjectOWASP.
http://www.owasp.org/index.php/ESAPI
Submission
| Name | Organization | Date | Date release | Version |
|---|---|---|---|---|
| Anonymous Tool Vendor (under NDA) | Draft 6 |
Modifications
| Name | Organization | Date | Comment |
|---|---|---|---|
| Eric Dalci | Cigital | updated Potential_Mitigations, Time_of_Introduction | |
| CWE Content Team | MITRE | updated Alternate_Terms, Background_Details, Description, Detection_Factors, Likelihood_of_Exploit, Name, Relationships, Observed_Example, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated References and Observed_Examples | |
| CWE Content Team | MITRE | updated Alternate_Terms, Observed_Examples, References | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Name | |
| CWE Content Team | MITRE | updated Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, Potential_Mitigations | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Common_Consequences, Detection_Factors, Potential_Mitigations, Related_Attack_Patterns, Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Demonstrative_Examples | |
| CWE Content Team | MITRE | updated Common_Consequences, Potential_Mitigations, References, Relationships | |
| CWE Content Team | MITRE | updated Potential_Mitigations | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Potential_Mitigations, References | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Potential_Mitigations | |
| CWE Content Team | MITRE | updated References, Relationships | |
| CWE Content Team | MITRE | updated Detection_Factors, Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Related_Attack_Patterns | |
| CWE Content Team | MITRE | updated Relationships, Type | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Potential_Mitigations, Relationships | |
| CWE Content Team | MITRE | updated Potential_Mitigations | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Observed_Examples | |
| CWE Content Team | MITRE | updated Related_Attack_Patterns | |
| CWE Content Team | MITRE | updated Description, Detection_Factors, References, Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Demonstrative_Examples | |
| CWE Content Team | MITRE | updated Alternate_Terms, Common_Consequences, Description, Diagram, Other_Notes |
2025©
tesweb SA
