WebApp Sec mailing list archives
Re: usabilty vs sescurity - return urls by parameter
From: "Gleb Paharenko" <gpaharenko () gmail com>
Date: Wed, 16 Jul 2008 15:12:59 +0300
Hi. That seems to be a part of "open redirects problem" which was discussed a lot on this list. 2008/7/15 MC Iglo <mc.iglo () googlemail com>:
Hi all, lately, I see more and more pages using get-parameters to store a return url after login. two famous examples are ebay and google. of course, this is nice for the user to get back to where he came from before logging in. but on the other hand side, i think thats an extremly high risk! in most cases, the URL is something like http://gooddomain.tld/login.php?arg1=bla&arg2=blaaaaaaa&arg3=%22alb%22&return=http%3A%2F%2Fgooddomain.tld%2Fadmin&morearg=morebla As you can see at the upper example, it is not very clear, what URL the user will be redirected to. Now lets obfuscate it a little bit more and replace the return path and you get http://gooddomain.tld/login.php?arg1=bla&arg2=blaaaaaaa&arg3=%22alb%22&return=%68%74%74%70%3a%2f%2f%62%75%67%67%65%6c%7a%2e%66%75%6e%70%69%63%2e%64%65%2f%67%70%6f%74%61%74%6f%2e%68%74%6d%6c&morearg=morebla (The decoded string is an example form - I notified them seperatley before) let's send this link to someone interested in their products or put it on a website/forum as a reply to a question. Even careful people might be tricked to click on this link and log in because they see 'http://gooddomain.tld/...'. and that IS the site, they want to go to. after they logged in successfully, the website redirects them to my malicious site, which says, the login was incorrect. of course, the user will not be distrustful beause he was sent to this 'view' by gooddomain.tld (he won't check the address bar for sure) and type in his data again to be sure, he made no typos and i store this data on my server i have successfully stolen his data and redirect him to the normal portal. he won't even notice it and thinks he made a typo at first try. in my opinion, this is extremely critical but hey... who cares? it's web 2.0... Regards MC.Iglo ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
-- Best regards. Gleb Pakharenko. http://gpaharenko.livejournal.com http://www.linkedin.com/in/gpaharenko ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- usabilty vs sescurity - return urls by parameter MC Iglo (Jul 15)
- Re: usabilty vs sescurity - return urls by parameter Gleb Paharenko (Jul 16)