Foreword:
I learned about the redirection vulnerability today, which is easier to understand
Vulnerability name: URL redirection vulnerability
Threat: low
The source of the vulnerability: the developer filters and restricts the header accordingly
example:
Vulnerable website: http://a.com/x.php?url=http://a.com/login.php
At this time, we let it jump to the specified page by writing a link behind the url. Example: http;//a.com/x.php?url=http://www.baidu.com
Exploits that can be used with:
CSRF When a website has a CSRF vulnerability, and you know the link to create a backend administrator. Modify the link to use the URL redirection vulnerability. short chain generation
Stored XSS When a website has a stored XSS vulnerability, you insert a js that steals cookies. Cooperate with the URL redirection vulnerability, let the victim jump directly to the page
text:
Here we use BWAPP, a vulnerable website, for URL redirection testing.
http://192.168.3.41/bWAPP/unvalidated_redir_fwd_1.php
Unfiltered redirects and forwards
Click the Beam button to jump to
Open Burpsuite to capture the package
Found that the parameters are like this url=xxxx&form=submit
send to repeater
Modify url=http://www.baidu.com
A 302 jump is generated. The jump page is http://www.baidu.com
Go back to the position just now, put the package and take a look, jump
Intermediate try
Capture the same
Change the chain directly and find that it jumps back to the login page. After careful comparison, it is found that the intermediate defense is judged by the setting of the cookie
Change it to 0 and change the parameters behind its url, jump directly
Advanced try
There is no difference between high and medium defense. Just change the value after the cookie to 2. Change it directly to 0, and set its link to jump to the link of the blog garden
Blog Park has to go through two jumps here
This code of the vulnerability script to verify URLl redirection:
import requests,time def poc(): user=input('Please enter the web site to be tested:') user2=input('Please enter the parameters you want to bring in:') values=user2.strip().split('?')[-1] params={} for line in values.split('&'): key,value=line.split('=',1) params[key]=value print('URL:',user) print('The parameters you have taken are:',params) time.sleep(0.2) print('If you want to change the parameters, please enter y') print('Do not need to change to enter n') user3=input('Do you want to change your parameters[y/n]:') if user3 == 'y': while True: print('Please enter the name of the parameter you want to change{name: value}') print(params) user4=input('Please fill in the name:') user5=input('Please enter the value you want to change:') params['{}'.format(user4)]='{}'.format(user5) print('The change is done, and your current parameter is',params) user6=input('Do you want to continue to love the parameters more[y/n]?:') if user6 == 'y': continue elif user6 == 'n': break elif user6 == '': break url=user.strip() headers={'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36'} rest=requests.get(url=url,headers=headers,timeout=6,params=params, allow_redirects=False) print('Http_code:',rest.status_code) print(rest.headers) try: print(rest.headers['Location']) if rest.headers['Location'] == 'http://www.baidu.com': print('[*]There is a URL redirection vulnerability in this link') else: print('[+]There is no URL redirection vulnerability in this link') except: print('[-]not Location head') little ()
The results are as follows:
Summarize:
Although the threat of vulnerability is not high, it still needs to be protected. The defense methods are as follows:
You can use the state parameter to prevent cross-site attacks, and verify whether the request returned by 302 with the code parameter is forged by the attacker to prevent the attacker from forging the request.
For external link attacks, you can add attributes to all external links in an environment that supports HTML5 browsers rel=noreferrer
; for the old version of IE, the solution is to use an HTTPS to jump to the effect of erasing the referer
PHP obtains retferer to determine the source to prevent illegal access: http://www.90tec.com/iwork/20.html
I don't like the second one, the others are fine