Blog | G5 Cyber Security

URL Shortener Open Redirects: A Security Guide

G5 Cyber Security

TL;DR

URL shorteners can be vulnerable to open redirects, allowing attackers to disguise malicious links. This guide explains how these vulnerabilities work and how to prevent them.

What are Open Redirects?

An open redirect happens when a web application (like a URL shortener) accepts a user-supplied URL as input and then redirects the user to that URL without proper validation. If not handled correctly, an attacker can craft a link that appears legitimate but actually points to a harmful website.

How do URL Shorteners relate?

URL shorteners take long URLs and create shorter, more manageable ones. The core function is redirection. If the shortener doesn’t check where it’s redirecting you, it can be exploited.

Identifying Open Redirect Vulnerabilities

  1. Basic Testing: Try appending parameters to a shortened URL that are commonly used for redirects. Examples include ?url=, &redirect_url=, or /r/ followed by a known malicious site.
  2. Example Scenario: Let’s say the shortener’s base URL is https://short.url/. Try these:
    • https://short.url/?url=http://evil.com
    • https://short.url/r/http://evil.com
    • https://short.url/?redirect_url=http://evil.com
  3. Observe the Redirect: If you are redirected to http://evil.com, it’s a strong indication of an open redirect vulnerability.

Preventing Open Redirects

  1. Whitelisting Allowed Domains: This is the most secure approach.
    • Only allow redirects to URLs within a pre-approved list of domains (e.g., your own website, trusted partners).
    • Reject any redirect request that doesn’t match an allowed domain.
  2. URL Validation: If whitelisting isn’t feasible:
    • Scheme Check: Ensure the URL uses a safe scheme (http or https). Reject anything else (e.g., ftp, mailto). 
      if not url.startswith('http://') and not url.startswith('https://'):
  #Reject the URL
  return False
    • Domain Check: Verify that the domain is valid and exists.
    • Blacklisting: Maintain a list of known malicious domains and reject redirects to them. (Less effective than whitelisting).
  3. Canonicalization: Ensure URLs are consistently formatted before validation. This helps prevent bypasses using different URL encodings. 
    from urllib.parse import urlparse, unquote
parsed_url = urlparse(unquote(url))
canonical_url = parsed_url.scheme + '://' + parsed_url.netloc + parsed_url.path
  4. Redirection Logic: Avoid directly using user-supplied input in the redirection function.
    • Instead, use a mapping system where short codes are associated with pre-validated long URLs.
  5. Regular Security Audits: Regularly scan your URL shortener for open redirect vulnerabilities and other cyber security issues.

Example Code (Python – Illustrative)

This is a simplified example to show the concept of whitelisting.

allowed_domains = ['example.com', 'trustedpartner.net']

def validate_url(url):
  parsed_url = urlparse(url)
  if parsed_url.netloc in allowed_domains:
    return True
  else:
    return False

# Example usage:
user_supplied_url = 'https://example.com/safe-page'
if validate_url(user_supplied_url):
  # Redirect to user_supplied_url
  print('Redirecting...')
else:
  print('Invalid URL - redirect blocked.')
Exit mobile version