Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    New Coder
    Join Date
    Feb 2009
    Posts
    36
    Thanks
    3
    Thanked 0 Times in 0 Posts

    Question Header Redirect Security

    Hello,

    What potential security holes open when allowing a header redirect destination to be set by the client?

    For example, form input is parsed, and the form submitter should be redirected to the confirmation page. The confirmation page URL is passed as a hidden form variable. This would allow for easy customization on my client's side, but I am hesitant to implement due to potential security concerns.

    Would this cause any issues/security concerns?

  • #2
    UE Antagonizer Fumigator's Avatar
    Join Date
    Dec 2005
    Location
    Utah, USA, Northwestern hemisphere, Earth, Solar System, Milky Way Galaxy, Alpha Quadrant
    Posts
    7,691
    Thanks
    42
    Thanked 637 Times in 625 Posts
    Think about what is to gain by messing with the confirmation redirect. Does it just break the page, or will it give a client a level of access he shouldn't have? If it just breaks the page for that client, then I don't consider it a big deal. The dangerous hackers will typically only target something if they can potentially profit from the exploit.

    The things you have to worry about are holes that give the client the ability to upload and create files on your webserver, get into your database or filesystem, that sort of thing.

  • #3
    New Coder
    Join Date
    Feb 2009
    Posts
    36
    Thanks
    3
    Thanked 0 Times in 0 Posts
    Thank you for the response,

    I guess I am more concerned if redirecting to an external client determined page could be used maliciously against the originating server. For example, when using a header redirect, is the originating server address or the client address used as the referrer?

    Does a header redirect act the same way as if the visitor were clicking on a page link?

  • #4
    Senior Coder
    Join Date
    Jul 2009
    Location
    South Yorkshire, England
    Posts
    2,318
    Thanks
    6
    Thanked 304 Times in 303 Posts
    Such as a malicious user crafting a submission form to punt the user to a phishing site or suchlike, you mean? Check your redirect URI's are local if you're punting a logged in user to a confirmation page. If it's a generic link in a post/comment etc, they takes their chances.

  • #5
    New Coder
    Join Date
    Feb 2009
    Posts
    36
    Thanks
    3
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by MattF View Post
    Such as a malicious user crafting a submission form to punt the user to a phishing site or suchlike, you mean? Check your redirect URI's are local if you're punting a logged in user to a confirmation page. If it's a generic link in a post/comment etc, they takes their chances.
    Yes, only the redirect would not be saved for the next user, so the only scenario would be the malicious user redirecting himself.

    I suppose my main concern is whether the server address or the form submitter's address is used as the referrer. If the malicious user redirects to something like externalsite.com/anotherformparse.php?name=hello, would it appear that the originating server is mass submitting the form or that the malicious user himself is submitting the external form?

  • #6
    Senior Coder
    Join Date
    Jul 2009
    Location
    South Yorkshire, England
    Posts
    2,318
    Thanks
    6
    Thanked 304 Times in 303 Posts


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •