-
-
Notifications
You must be signed in to change notification settings - Fork 3.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #542 from digininja/open_redirect
Open redirect
- Loading branch information
Showing
10 changed files
with
275 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
<div class="body_padded"> | ||
<h1>Help - Open HTTP Redirect</h1> | ||
|
||
<div id="code"> | ||
<table width='100%' bgcolor='white' style="border:2px #C0C0C0 solid"> | ||
<tr> | ||
<td><div id="code"> | ||
<h3>About</h3> | ||
<p> | ||
OWASP define this as: | ||
</p> | ||
<blockquote cite="https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html"> | ||
Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. | ||
</blockquote> | ||
|
||
<p>As suggested above, a common use for this is to create a URL which initially goes to the real site but then redirects the victim off to a site controlled by the attacker. This site could be a clone of the target's login page to steal credentials, a request for credit card details to pay for a service on the target site, or simply a spam page full of advertising.</p> | ||
|
||
<br /><hr /><br /> | ||
|
||
<h3>Objective</h3> | ||
<p>Abuse the redirect page to move the user off the DVWA site or onto a different page on the site than expected.</p> | ||
|
||
<br /><hr /><br /> | ||
|
||
<h3>Low Level</h3> | ||
<p>The redirect page has no limitations, you can redirect to anywhere you want.</p> | ||
<p>Spoiler: <span class="spoiler">Try browsing to /vulnerabilities/open_redirect/source/low.php?redirect=https://digi.ninja</span></p> | ||
|
||
<br /> | ||
|
||
<h3>Medium Level</h3> | ||
<p>The code prevents you from using absolute URLs to take the user off the site, so you can either use relative URLs to take them to other pages on the same site or a <a href="https://en.wikipedia.org/wiki/Wikipedia:Protocol-relative_URL" target="_blank">Protocol-relative URL</a>.</p> | ||
|
||
<p>Spoiler: <span class="spoiler">Try browsing to /vulnerabilities/open_redirect/source/low.php?redirect=//digi.ninja</span></p> | ||
|
||
<br /> | ||
|
||
<h3>High Level</h3> | ||
<p>The redirect page tries to lock you to only redirect to the info.php page, but does this by checking that the URL contains "info.php".</p> | ||
|
||
<p>Spoiler: <span class="spoiler">Try browsing to /vulnerabilities/open_redirect/source/low.php?redirect=https://digi.ninja/?a=info.php</span></p> | ||
|
||
<br /> | ||
|
||
<h3>Impossible Level</h3> | ||
<p>Rather than accepting a page or URL as the redirect target, the system uses ID values to tell the redirect page where to redirect to. This ties the system down to only redirect to pages it knows about and so there is no way for an attacker to modify things to go to a page of their choosing.</p> | ||
|
||
</div></td> | ||
</tr> | ||
</table> | ||
|
||
</div> | ||
|
||
<br /> | ||
|
||
<p>Reference: <?php echo dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/Password_cracking' ); ?></p> | ||
</div> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
<?php | ||
|
||
define( 'DVWA_WEB_PAGE_TO_ROOT', '../../' ); | ||
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php'; | ||
|
||
dvwaPageStartup( array( 'authenticated', 'phpids' ) ); | ||
|
||
$page = dvwaPageNewGrab(); | ||
$page[ 'title' ] = 'Vulnerability: Open HTTP Redirect' . $page[ 'title_separator' ].$page[ 'title' ]; | ||
$page[ 'page_id' ] = 'open_redirect'; | ||
$page[ 'help_button' ] = 'open_redirect'; | ||
$page[ 'source_button' ] = 'open_redirect'; | ||
dvwaDatabaseConnect(); | ||
|
||
switch( dvwaSecurityLevelGet() ) { | ||
case 'low': | ||
$link1 = "source/low.php?redirect=info.php?id=1"; | ||
$link2 = "source/low.php?redirect=info.php?id=2"; | ||
break; | ||
case 'medium': | ||
$link1 = "source/medium.php?redirect=info.php?id=1"; | ||
$link2 = "source/medium.php?redirect=info.php?id=2"; | ||
break; | ||
case 'high': | ||
$link1 = "source/high.php?redirect=info.php?id=1"; | ||
$link2 = "source/high.php?redirect=info.php?id=2"; | ||
break; | ||
default: | ||
$link1 = "source/impossible.php?redirect=1"; | ||
$link2 = "source/impossible.php?redirect=2"; | ||
break; | ||
} | ||
|
||
$page[ 'body' ] .= " | ||
<div class=\"body_padded\"> | ||
<h1>Vulnerability: Open HTTP Redirect</h1> | ||
<div class=\"vulnerable_code_area\"> | ||
<h2>Hacker History</h2> | ||
<p> | ||
Here are two links to some famous hacker quotes, see if you can hack them. | ||
</p> | ||
<ul> | ||
<li><a href='{$link1}'>Quote 1</a></li> | ||
<li><a href='{$link2}'>Quote 2</a></li> | ||
</ul> | ||
{$html} | ||
</div> | ||
<h2>More Information</h2> | ||
<ul> | ||
<li>" . dvwaExternalLinkUrlGet( 'https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html', "OWASP Unvalidated Redirects and Forwards Cheat Sheet" ) . "</li> | ||
<li>" . dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client-side_Testing/04-Testing_for_Client-side_URL_Redirect', "WSTG - Testing for Client-side URL Redirect") . "</li> | ||
<li>" . dvwaExternalLinkUrlGet( 'https://cwe.mitre.org/data/definitions/601.html', "Mitre - CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" ) . "</li> | ||
</ul> | ||
</div>\n"; | ||
|
||
dvwaHtmlEcho( $page ); | ||
|
||
?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
<?php | ||
|
||
if (array_key_exists ("redirect", $_GET) && $_GET['redirect'] != "") { | ||
if (strpos($_GET['redirect'], "info.php") !== false) { | ||
header ("location: " . $_GET['redirect']); | ||
exit; | ||
} else { | ||
http_response_code (500); | ||
?> | ||
<p>You can only redirect to the info page.</p> | ||
<?php | ||
exit; | ||
} | ||
} | ||
|
||
http_response_code (500); | ||
?> | ||
<p>Missing redirect target.</p> | ||
<?php | ||
exit; | ||
?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
<?php | ||
|
||
$target = ""; | ||
|
||
if (array_key_exists ("redirect", $_GET) && is_numeric($_GET['redirect'])) { | ||
switch (intval ($_GET['redirect'])) { | ||
case 1: | ||
$target = "info.php?id=1"; | ||
break; | ||
case 2: | ||
$target = "info.php?id=2"; | ||
break; | ||
case 99: | ||
$target = "https://digi.ninja"; | ||
break; | ||
} | ||
if ($target != "") { | ||
header ("location: " . $target); | ||
exit; | ||
} else { | ||
?> | ||
Unknown redirect target. | ||
<?php | ||
exit; | ||
} | ||
} | ||
|
||
?> | ||
Missing redirect target. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
<?php | ||
|
||
define( 'DVWA_WEB_PAGE_TO_ROOT', '../../../' ); | ||
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php'; | ||
|
||
dvwaPageStartup( array( 'authenticated', 'phpids' ) ); | ||
|
||
$page = dvwaPageNewGrab(); | ||
$page[ 'title' ] = 'Vulnerability: Open HTTP Redirect' . $page[ 'title_separator' ].$page[ 'title' ]; | ||
$page[ 'page_id' ] = 'open_redirect'; | ||
$page[ 'help_button' ] = 'open_redirect'; | ||
$page[ 'source_button' ] = 'open_redirect'; | ||
dvwaDatabaseConnect(); | ||
|
||
$info = ""; | ||
|
||
if (array_key_exists ("id", $_GET) && is_numeric($_GET['id'])) { | ||
switch (intval ($_GET['id'])) { | ||
case 1: | ||
$info = "Why did he come to you?<br />I got a record, I was Zero Cool<br />Zero Cool. Crashed 1507 systems in one day, biggest crash in history, front page, New York Times August 10th 1988."; | ||
break; | ||
case 2: | ||
$info = "Who are you anyway?<br />Johnny.<br />Johnny who?<br />Just... Johnny?"; | ||
break; | ||
default: | ||
$info = "Some other stuff"; | ||
} | ||
} | ||
|
||
if ($info == "") { | ||
http_response_code (500); | ||
?> | ||
<p>Missing quote ID.</p> | ||
<?php | ||
exit; | ||
} | ||
|
||
$page[ 'body' ] .= " | ||
<div class=\"body_padded\"> | ||
<h1>Vulnerability: Open HTTP Redirect</h1> | ||
<div class=\"vulnerable_code_area\"> | ||
<h2>Hacker Quotes</h2> | ||
<p> | ||
{$info} | ||
</p> | ||
<p><a href='../'>Back</a></p> | ||
{$html} | ||
</div> | ||
<h2>More Information</h2> | ||
<ul> | ||
<li>" . dvwaExternalLinkUrlGet( 'https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html', "OWASP Unvalidated Redirects and Forwards Cheat Sheet" ) . "</li> | ||
<li>" . dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client-side_Testing/04-Testing_for_Client-side_URL_Redirect', "WSTG - Testing for Client-side URL Redirect") . "</li> | ||
<li>" . dvwaExternalLinkUrlGet( 'https://cwe.mitre.org/data/definitions/601.html', "Mitre - CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" ) . "</li> | ||
</ul> | ||
</div>\n"; | ||
|
||
dvwaHtmlEcho( $page ); | ||
|
||
?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
<?php | ||
|
||
if (array_key_exists ("redirect", $_GET) && $_GET['redirect'] != "") { | ||
header ("location: " . $_GET['redirect']); | ||
exit; | ||
} | ||
|
||
http_response_code (500); | ||
?> | ||
<p>Missing redirect target.</p> | ||
<?php | ||
exit; | ||
?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
<?php | ||
|
||
if (array_key_exists ("redirect", $_GET) && $_GET['redirect'] != "") { | ||
if (preg_match ("/http:\/\/|https:\/\//i", $_GET['redirect'])) { | ||
http_response_code (500); | ||
?> | ||
<p>Absolute URLs not allowed.</p> | ||
<?php | ||
exit; | ||
} else { | ||
header ("location: " . $_GET['redirect']); | ||
exit; | ||
} | ||
} | ||
|
||
http_response_code (500); | ||
?> | ||
<p>Missing redirect target.</p> | ||
<?php | ||
exit; | ||
?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters