...

View Full Version : Header Redirect Security



benjam1nrk
12-21-2010, 03:49 AM
Hello,

What potential security holes open when allowing a header redirect destination to be set by the client?

For example, form input is parsed, and the form submitter should be redirected to the confirmation page. The confirmation page URL is passed as a hidden form variable. This would allow for easy customization on my client's side, but I am hesitant to implement due to potential security concerns.

Would this cause any issues/security concerns?

Fumigator
12-21-2010, 04:06 AM
Think about what is to gain by messing with the confirmation redirect. Does it just break the page, or will it give a client a level of access he shouldn't have? If it just breaks the page for that client, then I don't consider it a big deal. The dangerous hackers will typically only target something if they can potentially profit from the exploit.

The things you have to worry about are holes that give the client the ability to upload and create files on your webserver, get into your database or filesystem, that sort of thing.

benjam1nrk
12-21-2010, 04:26 AM
Thank you for the response,

I guess I am more concerned if redirecting to an external client determined page could be used maliciously against the originating server. For example, when using a header redirect, is the originating server address or the client address used as the referrer?

Does a header redirect act the same way as if the visitor were clicking on a page link?

MattF
12-21-2010, 07:27 AM
Such as a malicious user crafting a submission form to punt the user to a phishing site or suchlike, you mean? Check your redirect URI's are local if you're punting a logged in user to a confirmation page. If it's a generic link in a post/comment etc, they takes their chances.

benjam1nrk
12-21-2010, 03:08 PM
Such as a malicious user crafting a submission form to punt the user to a phishing site or suchlike, you mean? Check your redirect URI's are local if you're punting a logged in user to a confirmation page. If it's a generic link in a post/comment etc, they takes their chances.

Yes, only the redirect would not be saved for the next user, so the only scenario would be the malicious user redirecting himself.

I suppose my main concern is whether the server address or the form submitter's address is used as the referrer. If the malicious user redirects to something like externalsite.com/anotherformparse.php?name=hello, would it appear that the originating server is mass submitting the form or that the malicious user himself is submitting the external form?

MattF
12-21-2010, 05:08 PM
http://en.wikipedia.org/wiki/Cross-site_scripting
http://en.wikipedia.org/wiki/Cross-site_request_forgery



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum