Full Disclosure mailing list archives
Re: Google open redirect
From: Tavis Ormandy <taviso () cmpxchg8b com>
Date: Wed, 14 Dec 2011 01:29:44 +0100
Marsh Ray <marsh () extendedsubset com> wrote:
But now if we successfully convince every developer on the planet to stop using HTTP redirection, that doesn't change that the user doesnt know how to determine if the URL is trusted or not, so we just use one of dozens of other simple tricks. Surely the correct solution is to educate those users who are doing it incorrectly.I am in complete agreement with you. Let's say you are a bank that has just invested in a successful anti-phishing user education campaign. All the users have been trained to look beneath the HTML in emails, not to accept invalid SSL certificates, and only follow "legitimate" links that look like: https://*.examplebank.com/ At that point an open redirect is found under your site, such that
https://onlinebanking.examplebank.com/confirm.aspx?customerid=1234&return=http%3a%2f%2fpwn%2ely
drives the browser to the attacker's phishing site. Does this represent a vulnerability? - Marsh
So they've trained their users to parse and understand html, can decode complex documents manually, and understand the difference between anchor text and destination. They can decipher complex URLs using any of the obscure syntax supported, and understand the heirarchichal nature of the domain name system. They've also learned how to verify SSL certificates without clicking on links (perhaps using openssl s_client?). Bizarrely, they've also been convinced to never read the address bar (which is really all they needed to do from the start instead of the hours of training requiring them to reach this level). Then yes, you have a vulnerability. However, it's in the criminally negligent training material provided by the bank :-) Tavis. -- ------------------------------------- taviso () cmpxchg8b com | pgp encrypted mail preferred ------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Google open redirect, (continued)
- Re: Google open redirect Dave (Dec 08)
- Re: Google open redirect Michal Zalewski (Dec 08)
- Re: Google open redirect Marsh Ray (Dec 09)
- Re: Google open redirect Michal Zalewski (Dec 09)
- Re: Google open redirect Charles Morris (Dec 12)
- Re: Google open redirect Valdis . Kletnieks (Dec 09)
- Re: Google open redirect Marsh Ray (Dec 11)
- Re: Google open redirect Dave (Dec 09)
- Re: Google open redirect Tavis Ormandy (Dec 10)
- Re: Google open redirect Marsh Ray (Dec 13)
- Re: Google open redirect Tavis Ormandy (Dec 13)
- Re: Google open redirect Charles Morris (Dec 08)
- Re: Google open redirect Benji (Dec 08)
- Re: Google open redirect Charles Morris (Dec 08)
- Re: Google open redirect Benji (Dec 08)
- Re: Google open redirect Charles Morris (Dec 08)
- Re: Google open redirect Pablo Ximenes (Dec 08)
- Re: Google open redirect Charles Morris (Dec 08)
- Re: Google open redirect Pablo Ximenes (Dec 08)
- Re: Google open redirect Charles Morris (Dec 08)
- Re: Google open redirect Michal Zalewski (Dec 08)