There are times when a website may want to send a visitor to another page either immediately or after a specified amount of time (usually seconds). As an example, consider an outdated page that you believe your visitors have bookmarked – You don’t want to lose the traffic, so you just automatically redirect them to another page. While less common today, these redirects and forwards do still exist, but if not setup properly, they could pose an outside risk to your online presence.
While there are many ways to create a redirect or forward, the exploit in this case boils down to the destination URL being included in the address bar for the source page. When the redirect or forward is activated, the application will read the destination URL from the address bar and forward a user to that address. Consider this example source URL:
We can see here that the “About Us” page is being redirected back to the home page. The problem with this is that there is potential for anyone to take that full URL and insert their own redirect destination address and then send it to a site’s users. From there, depending on that source page, users’ could be tricked into thinking they are still on the source site. These unvalidated redirects/forwards could ultimately lead to a phishing scam in which users are fooled into giving up sensitive information about themselves.
As with most of these tests, you’ll need to determine which, if any, of your pages redirect to a different destination. If they do, you’ll want to determine if the addresses are included in the address bar, and last, if they can simply be changed as described above. If so, you and your users could be subject to phishing attempts.
The easiest way to avoid this exploit is to simply not utilize redirects and forwards. Of course, this isn’t always an option, and other measures must be taken. Depending on the nature of the redirect or forward, you may be able to implement what’s referred to as a “meta refresh” in your page, which uses hard coded HTML to automatically redirect visitors to another page. To implement this, you just need to add the following code in the <head> section of your page’s HTML:
<META httpequiv=”refresh” content=”5;URL=http://vulnerablesite.com”>
In this case, the page with this code will be redirected to “vulnerablesite.com” after 5 seconds (note the number “5” where the “content” is defined in the URL).
Another option for preventing this exploit is to create an indirect reference to the destination URL within the source URL.
SiteLock offers what is called a Web Application Firewall (WAF). The WAF is designed to scan and filter all incoming traffic for a website. This is achieved by referencing libraries of IP addresses and websites with poor reputations and preventing a website from being forwarded to any of them. The end result is that the intended audience views a secure and clean site each and every time.
Any website owner will need to consider the type of information it transmits back and forth with its users, and the potential impact of having that same information stolen.
In addition to stealing individual user data, a website with malicious redirects/forwards associated with it may find itself shut down through a number of different channels. It’s not at all uncommon for web hosts to get complaints about hacked sites, which will in turn cause them to suspend the site and account of the site owner. You may also find that antivirus applications have caught on to the problem and will alert users that a site is dangerous and should be avoided. And last, browsers such as Google Chrome scan sites for these problems and when found, they will alert their users that a site is unsafe and should not be visited. All of these possibilities have a real possibility of quickly eroding a site’s credibility.
To learn more about how our Web Application Firewall blocks unvalidated redirects and forwards, call SiteLock at 855.378.6200.