Blog | G5 Cyber Security

Burp Open Redirect Fix

G5 Cyber Security

TL;DR

An attacker can redirect users to malicious websites using a vulnerability in how your web application handles URLs. This guide shows you how to find and fix DOM-based open redirects with Burp Suite.

What is a DOM-Based Open Redirect?

A DOM-based open redirect happens when the redirection target isn’t controlled by the server, but instead by client-side JavaScript. The attacker manipulates the URL in the browser to change where the user is sent.

Finding DOM-Based Open Redirects with Burp Suite

  1. Configure Burp Suite: Make sure you’re using a Burp Suite Professional license for the Intruder feature.
  2. Identify Potential Redirection Points: Look for JavaScript code that uses window.location, document.location or similar to redirect users based on URL parameters. Common places include login pages, error handling, and links with tracking codes.
  3. Use Burp Intruder:
    • Send a request containing the potential redirection parameter to Burp Repeater.
    • Copy the request to Burp Intruder.
    • In the ‘Positions’ tab, mark the redirection parameter as your payload position. For example, if the URL is https://example.com/redirect?url=PAYLOAD, mark PAYLOAD.
    • Go to the ‘Payloads’ tab and select a list of potentially malicious URLs (e.g., common redirectors like Google, or known phishing sites). You can use Burp’s built-in payload lists or create your own.
    • Start the attack.
  4. Analyze Results: Burp will show you which payloads resulted in a redirection. Look for responses where the Location header changes to one of your malicious URLs. 
    HTTP/1.1 302 Found
Location: http://attacker.com
...

Fixing DOM-Based Open Redirects

  1. Input Validation: The most important step! Never trust user input directly in a redirect.
    • Whitelist Approach: Only allow redirection to pre-approved domains. This is the safest option. 
      const allowedDomains = ['example.com', 'safe-domain.net'];
const redirectUrl = new URL(urlParam);
if (allowedDomains.includes(redirectUrl.hostname)) {
  window.location.href = redirectUrl;
} else {
  // Handle invalid URL - show an error message or redirect to a safe page.
  console.error('Invalid redirect URL');
}
    • Regular Expression Validation: If whitelisting isn’t practical, use a strict regular expression to validate the URL format and ensure it doesn’t contain malicious characters or schemes (e.g., javascript:).
  2. URL Encoding/Decoding: Ensure proper encoding and decoding of URLs to prevent bypasses.
  3. Avoid Client-Side Redirection Where Possible: If possible, handle redirection on the server-side instead of relying on JavaScript. This reduces the attack surface.
  4. Content Security Policy (CSP): Implement a strong CSP to restrict where your application can load resources from and prevent malicious scripts from running.

Testing Your Fix

  1. Repeat the steps in ‘Finding DOM-Based Open Redirects’ after applying the fix. You should no longer see redirections to malicious URLs.
  2. Try different encoding techniques and URL formats to ensure your validation is robust.
Exit mobile version