Matok's PHP Blog

Aimed on security: Redirect user after action

article image

When I see elementary security issue on big page I’m not even mad I’m sad about it. This is happening event in big companies and on their web pages. One bad line of code can put you business down. Think about this and think about providing basic security course to your developers.

I'm going to describe real world example. At time of writing this example it was still present on page and maybe it’s present right know.

Let’s hack it

I noticed on one domain url like this
www.example.co.uk/login?returnUrl=order
After login I have in address bar:
www.example.co.uk/order

Wo wo wo, this smells like a problem… what if I put in address bar something like this: www.example.co.uk/login?returnUrl=http://atackerserver.co.uk
What do you think? Yeees…it was fucking working!

Consequences

Phishing page: I can make exact copy of web page and put it on my server. On phishing page I can collect user password, his credit card number and whatever I want.

CSRF: Even denying other server in returnUrl parameter wouldn’t be salvation, user will be redirected only within current domain, but there can be still issue. This was also the problem on page I’m writing about. Site has internal actions there were accessible only by authorized (logged on) users, but they were not protected by CSFR token or similar mechanism. Point is I can still force user to open:
www.example.co.uk/login?returnUrl=/transfer/1000GBP/to/matok
If www.example.co.uk/transfer/1000GBP/to/matok is valid URL some poor guy just see message that he send me a money :P.

Conclusion

That’s all for today. Purpose of this article was to make you think about what are you doing and what unwanted effect it can have. Check you web site for similar issues with redirects. If you need help don’t be shy and contact me.

Last words

I got something to say but this is not protection nor correct handle of situation: What I am doing is denying all _GET parameters everywhere. You can try it on this page. I’m not doing this for security reason but after all I realized this is really good check. If I want to use _GET parameter I must explicitly allow it and it’s forces me to think about it... what could possibly happened…?

If I just save our ass and you have similar issue on page mark this articles as helpful for you.


If you like this article then mark it as helpful to let others know it's worth to read. Otherwise leave me a feedback/comment and we can talk about it.

I'm foreigner. Where I live my friends call me Maťok.


Comments - Coming Soon