Open Redirect Bypass: Blackbox URL Matching

G5 Cyber Security

1 week ago

TL;DR

An open redirect vulnerability occurs when a web application redirects users to URLs specified by user input without proper validation. A common mitigation is blacklisting known malicious domains or patterns. This guide explains how attackers can bypass these blacklists and demonstrates techniques to exploit the vulnerability.

Understanding the Problem

Blackbox URL matching attempts to prevent open redirects by checking if a provided URL contains disallowed strings (e.g., ‘evil.com’). However, this method is often flawed due to encoding issues, case sensitivity, and variations in domain representations. Attackers can craft URLs that pass these checks but still redirect to malicious sites.

Bypass Techniques

URL Encoding:

Attackers can encode characters within the URL using percent encoding (e.g., %20 for space, %3A for colon). This may bypass simple string matching rules.
```
example.com/%65vil.com
```

Case Sensitivity:

Some blacklists are case-sensitive. Try variations in capitalization (e.g., Evil.com, eViL.CoM).
```
example.com/Evil.com
```

Unicode Encoding:

Use Unicode characters that visually resemble ASCII characters but have different underlying representations.
```
example.com/ｅｖｉｌ．ｃｏｍ
```

Domain Variations:

Explore alternative domain extensions (e.g., .net, .org) or subdomains.
```
example.com/evil.co
```

IP Address Representation:

Use the IP address of the malicious domain instead of the domain name.
```
example.com/192.0.2.1
```

Mixed Encoding:

Combine multiple encoding techniques for a higher chance of bypass.
```
example.com/%65vil.CoM
```

Trailing Characters/Whitespace:

Append whitespace or trailing characters to the URL, which might be ignored during validation.
```
example.com/evil.com 
```

URL Fragments (#):

The fragment identifier (the part after #) is often not validated and can be used to hide malicious parts of the URL.
```
example.com/evil.com#malicious_part
```

Double Encoding:

Encode a character twice (e.g., %2520 for space).
```
example.com/%2565vil.com
```

Using Punycode:

For internationalized domain names (IDNs), use the Punycode representation.
```
example.com/xn--evil-domain.com
```

Exploitation Steps

Identify the Redirect Parameter: Determine which URL parameter controls the redirection.
Initial Test: Try a simple malicious URL (e.g., evil.com) to confirm the vulnerability exists.
Blacklist Discovery: Attempt various bypass techniques, observing the application’s response to identify patterns in the blacklist.
Craft Payload: Create a URL that passes the blacklist but redirects to your malicious site.
Verify Exploitation: Confirm the redirect occurs as expected and leads to the attacker-controlled domain.

Mitigation

Whitelist Approach: Instead of blacklisting, explicitly allow only known safe domains. This is the most secure approach.
Strict Validation: Implement robust URL validation that checks for protocol (http/https), domain format, and character restrictions.
Canonicalization: Normalize URLs before validation to handle case variations, encoding issues, and other inconsistencies.
Regular Updates: Keep the blacklist updated with newly discovered malicious domains. However, remember that a whitelist is preferred.