HTTP重定向
One of the most common and largely overlooked vulnerabilities by web developers is Open Redirect (also known as “Unvalidated Redirects and Forwards”).
其中一个最常见的,也是大部分被网站开发者忽视的漏洞是开放重定向(也称为 “无效重定向和转发”)。
A website is vulnerable to Open Redirect when parameter values (the portion of URL after “?”) in an HTTP GET request allow for information that will redirect a user to a new website without any validation of the target of redirect.
当HTTP GET请求中的参数值("? "后的部分URL)允许提供信息,将用户重定向到一个新的网站,而不对重定向的目标进行任何验证时,网站就会受到Open Redirect的攻击。
Depending on the architecture of a vulnerable website, redirection could happen after certain action, such as login, and sometimes it could happen instantaneously upon loading of a page.
根据易受攻击网站的架构,重定向可能会在某些操作后发生,如登录,有时也可能在页面加载时瞬间发生。
An example of a vulnerable website link could look something like this: https://www.example.com/login.html?RelayState=http%3A%2F%2Fexample.com%2Fnext
一个脆弱的网站链接的例子可能是这样的:: https://www.example.com/login.html?RelayState=http%3A%2F%2Fexample.com%2Fnext
In this example, “RelayState” parameter indicates where to send user upon successful login (In our example it is “http://example.com/next”).If website doesn’t validate the “RelayState” parameter value to make sure that target web page is legitimate and intended, attacker could manipulate that parameter to send a victim to a fake page crafted by attacker: https://www.example.com/login.html?RelayState=http%3A%2F%2FEvilWebsite.com
在这个例子中,"RelayState "参数表示在用户成功登录后将用户发送到哪里(在我们的例子中是 “http://example.com/next”)。如果网站没有验证 "RelayState "参数的值,以确保目标网页是合法的,攻击者可以操纵该参数,将受害者发送到一个由攻击者制作的虚假页面:https://www.example.com/login.html?RelayState=http%3A%2F%2FEvilWebsite.com。
Open Redirect vulnerabilities don’t get enough attention from developers because they don’t directly damage website and do not allow an attacker to directly steal data that belong to the company. However, that doesn’t mean that Open Redirect attacks are not a threat. One of the main uses for this vulnerability is to make phishing attacks more credible and effective.
开放式重定向漏洞没有引起开发者的足够重视,因为它们不会直接破坏网站,也不允许攻击者直接窃取数据,而这些数据是属于该公司。然而,这并不意味着Open Redirect攻击不构成威胁。这个漏洞的主要用途之一是使钓鱼攻击更加可信和有效。
When an Open Redirect is used in a phishing attack, the victim receives an email that looks legitimate with a link that points to a correct and expected domain. What the victim may not notice, is that in a middle of a long URL there are parameters that manipulate and change where the link will take them.
当开放重定向被用于网络钓鱼攻击时,受害者会收到一封看似合法的电子邮件,其中的链接指向一个正确的、预期的域名。受害者可能没有注意到的是,在长长的URL中间,有一些参数可以操纵和改变链接的位置。
To make identification of the Open Redirect even more difficult, redirection could take place after victim provides login on a legitimate website first. Attackers have found that an effective way to trick a victim is to redirect him to a fake website after they enter their credentials on a legitimate page. The fake website would look identical to a legitimate website, and it would ask the victim to re-enter their password. After the victim re-enters their password it would be recorded by the attacker and victim would be redirected back to a valid website. If done correctly, victim would think that he mistyped password once and would not notice that his username and password were stolen.
为了使识别开放重定向更加困难,重定向可能发生在受害者先提供登录合法网站之后。攻击者发现,欺骗受害者的有效方法是在受害者在合法网页上输入凭证后将其重定向到一个假网站。这个假网站看起来和合法网站一样,它会要求受害者重新输入密码。当受害者重新输入密码后,攻击者会记录下来,受害者会被重定向到一个有效的网站。如果操作得当,受害者会认为自己打错了一次密码,不会注意到自己的用户名和密码被盗。
Phishing is used in most successful targeted hacks and also regularly in opportunistic attacks. Considering how prominent phishing is in our daily lives, Open Redirect vulnerabilities should not be dismissed.
网络钓鱼被用于大多数成功的目标黑客,也经常用于机会主义攻击。考虑到网络钓鱼在我们的日常生活中是多么的突出,Open Redirect漏洞不应该被忽视。
It would have been unfair to single out any specific website or company as being vulnerable to Open Redirect because so many companies have it. Instead, it’s more useful to demonstrate how common those websites are and how easy it is to find them.
如果单独指出任何特定的网站或公司容易受到开放重定向的影响,这是不公平的,因为有这么多公司都有这种情况。相反,更有用的是展示这些网站有多普遍,以及找到它们有多容易。
Doing a web search is one of the best tools to find Open Redirect on your own website and across a wider Internet.
进行网络搜索是在自己的网站和更广泛的互联网上找到Open Redirect(开放重定向)的最佳工具之一。
Google Search allows for a great flexibility in writing search queries, including queries that specifically search through URLs of pages.
Google搜索可以非常灵活地编写搜索查询,包括专门通过网页的URL进行搜索的查询。
The following operators and special symbols allow anyone to craft very targeted Google Searches for finding Open Redirects:
以下操作符和特殊符号使任何人都可以针对特定的Google搜索,以查找开放重定向:
allinurl - operator that tells Google to search within URL for all provided keywords
Example: allinurl:ReturnUrl which searches for web pages that have “ReturnUrl” as part of their URL
allinurl - 操作符,告诉谷歌在URL中搜索所有提供的关键字。
例如:allinurl:ReturnUrl,它可以搜索URL中含有 "ReturnUrl "的网页。
site - operator that tells to only return results that are on specific domain or a web site
Example: site:example.com which searches for web pages from example.com
site - 操作符,指示只返回特定域名或网站上的结果。
例如:site:example.com可以搜索example.com的网页。
“” - double quotes are a special symbols that used to indicate to search for exact combination of words and symbols within quotes
“”–双引号是一种特殊的符号,用来表示搜索引号内的单词和符号的精确组合。
*- The asterisk is a wildcard that represents one or more words
*- 星号是通配符,代表一个或多个词。
Using these allows us to search for certain tell tale signs of potential Open Redirect:
We can look for the general presence of “http” or “https” within parameter area of GET request. For instance:
使用这些可以让我们搜索某些潜在的开放重定向的迹象:
我们可以在GET请求的参数区域中寻找 "http "或 "https "的一般存在。例如,我们可以在GET请求的参数区寻找 "http "或 "https "的存在:
allinurl:%3Dhttps*
allinurl:%253Dhttps*
allinurl:%3Dhttp*
allinurl:%253Dhttp*
We can also search for specific, common words related to forwarding within parameter area of GET request. For instance:
我们还可以在GET请求的参数区中搜索与转发相关的特定的、常用的词。比如说:
allinurl:“<keyword>=https”
allinurl:“<keyword>=http”
allinurl:<keyword>=https
allinurl:<keyword>=http
allinurl:<keyword>%3Dhttps
allinurl:"<keyword>%3Dhttps* "
allinurl:<keyword>%253Dhttps
allinurl:"<keyword>%253Dhttps* "
…
Instead of <keyword>, we would use one of the following words typical of redirects:RelayState, ReturnUrl, RedirectUri, Return, Return_url, Redirect, Redirect_uri, Redirect_url,RedirectUrl, Forward, ForwardUrl, Forward_URL, SuccessUrl, Redir, Exit_url, Destination. This is by no means a comprehensive list of keywords. You can find more by analyzing results from the more general queries looking for a URL in the parameter section of the GET request.
我们将使用以下典型的重定向词来代替\keyword>:RelayState,ReturnUrl,RedirectUri,Return,Return_url,Redirect,Redirect_uri,Redirect_url,RedirectUrl,Forward,ForwardUrl,Forward_URL,SuccessUrl,Redir,Exit_url,Destination。这绝不是一个全面的关键词列表。你可以通过分析GET请求的参数部分中寻找URL的更一般查询的结果来找到更多。
For targeted searches, you can add “site:<domain_name>” to the end of your Google Queries. This can help you identify Open Redirect vulnerabilities on your own website.
对于有针对性的搜索,你可以在Google查询的结尾添加 “site:<domain_name>”。这可以帮助你找出自己网站上的Open Redirect漏洞。
Using this simple search technique you can find dozens of Open Redirect vulnerabilities within minutes. List of vulnerable websites includes banking websites, websites of international corporations, trusted companies, beloved projects and numerous websites of smaller organizations. As an additional bonus, each time Google’s web crawler comes across new website that has Open Redirect, we will get updated results through our queries.
使用这种简单的搜索技术,你可以在几分钟内找到几十个Open Redirect漏洞。易受攻击的网站列表包括银行网站、国际公司网站、值得信赖的公司、心爱的项目和众多小型组织的网站。作为额外的奖励,每次Google的网络爬虫遇到有Open Redirect的新网站,我们都会通过查询得到更新的结果。
The best way to avoid Open Redirect vulnerability is to avoid redirecting based on parameter controlled by users or supplied through GET method. If redirecting is unavoidable,it can be dealt with by validating a redirect target and sanitizing it using whitelist of approved URLs.
避免Open Redirect漏洞的最好方法是避免基于用户控制的参数或通过GET方法提供的重定向。如果重定向是不可避免的,可以通过验证重定向目标,并使用批准的URL白名单对其进行消毒处理。