What is an Open Redirect Attack?
Todd Stansfield
—March 12, 2024
—4 min read
Impersonation is one of the most common and reliable tactics of any hacker. It naturally causes victims to lower their guard and overlook the subtle and not-so-subtle signs of malice. But how hackers go about impersonating legitimate entities—whether people or businesses—varies significantly. Numerous techniques exist to accomplish this feat—and among them is the practice of abusing an open redirect. Vade continues to see this technique used commonly in phishing scams that abuse legitimate brands and services.
In this blog post, we break down what an open redirect attack is, how it works, why hackers use it, and how you can protect against it.
What is an open redirect?
Redirects are a necessary part of the Internet, used to tell a browser to automatically browse another website or visit another URL. It’s extremely common, used for situations such as redirecting a site from an insecure HTTP version to a more secure HTTPS. When done securely, these redirections happen from within the web application and can be controlled or secured by the site owners.
An open redirect is when a redirected URL can be set from outside the application or can otherwise be impacted by user-controlled information. On the surface, it is not inherently a bad thing (3xx redirects are technically a category of open redirects!), but they can be easily exploited. Problems arise when attackers redirect to external URLs without proper validation or sanitization. As the name suggests, an open redirect attack occurs when hackers exploit this vulnerability to redirect users to different, potentially harmful websites.
How does an open redirect work?
The typical process of open redirects involves the following steps:
- User input: The web application accepts user-provided input, usually in the form of a URL, as a parameter in a redirect request.
- Lack of validation: The application neglects to adequately validate or sanitize the user-provided input. In other words, it fails to check whether the provided URL is a valid and secure destination.
- Redirection: The application executes a redirect to the URL specified by the user input.
- Exploitation: Exploiting the absence of validation, an attacker crafts a malicious URL pointing to a harmful website. Techniques like URL encoding may be employed to conceal malicious intent.
- User interaction: When a user clicks on the crafted URL, they are redirected to the malicious website. This redirection can lead to various attacks, including phishing, session theft, or the delivery of malicious content.
The example below shows a legitimate webpage of Baidu, the Chinese search engine. The webpage URL originates from a phishing email that contains a link redirect. Users that click the link get sent to this page momentarily before getting redirected to a destination phishing page. By using an open redirect, hackers can hide the malicious link behind a legitimate one. They can also evade security measures that consider a domain’s reputation and age to filter threats.
By abusing a brand like Baidu, hackers can exploit the trust signals of an otherwise safe and widely used legitimate service. They can also increase the chances their phishing email ends up in the targeted user’s inbox. That explains why Vade has detected a high volume of open redirect attacks involving Baidu.
Baidu open redirect attack detected by Vade
How are open redirects exploited by spammers?
Open redirects are leveraged by spammers looking to circumvent numerous security measures, particularly Webroot bots that identify malicious links. For spammers, trying to out-think their adversaries is crucial during large-scale phishing mass-mailing campaigns. Below is a non-exhaustive list of bots that scrutinize links, distinguishing between legitimate and malicious links before reaching the inbox:
- Anti-spam ISP bots
- SMTP anti-spam bots
- Brave bot scanning
- Webroot bots
- Google Safe Browsing
- Email spam filter bots
- VPS anti-spam bot detectors
- Victims' hardware antivirus detection
To outsmart bots and achieve successful inbox deliverability while simultaneously evading browser-based Webroot scans, spammers resort to scripting scam pages with obfuscation techniques and setting up “fudlinks” (fully undetectable links). If an attacker lacks the web hacking skills to perform subdomain penetration testing and discover open redirects, several valid open redirect bots are available. These bots assist in making scam script links fully undetectable, allowing them to bypass fake user interactions triggered by bots and ensuring real users can access the intended target links.
How do you detect open redirect vulnerabilities?
To detect open redirect vulnerabilities, particularly those involving subdomains, a combination of manual testing and automated tools is typically required. The following steps can be taken to uncover such vulnerabilities:
- Identify input points: Locate areas in the web application where user input is accepted and utilized in a redirect, such as URL query string parameters, form fields, or other input methods.
- Test with trusted URLs: Test the redirect functionality using trusted URLs to ensure that the application redirects as intended without presenting security issues.
- Craft malicious URLs: Experiment with creating URLs that contain different subdomains and observe how the application responds. For example, you can try using URLs like http://bing.com/ck/a. It's important to note that there may be open redirect vulnerabilities in the "bing.com" domain that haven't been addressed, which could allow redirection to spammer links and bypass anti-spam measures.
- Check subdomains: Test various subdomains in the redirect parameter to determine if the application allows redirects to external subdomains, including both legitimate and potentially malicious ones.
- Use automated tools: Take advantage of automated tools like OWASP ZAP, Burp Suite, or specialized vulnerability scanners. Configure these tools to test subdomains within the redirect parameters.
- Review source code: If access to the application's source code is available, examine how the redirect functionality is implemented. Ensure that user-provided input is properly validated and consider implementing a whitelist of allowed domains.
How to protect against open redirect attacks?
You can protect against open redirect attacks by implementing a combination of measures. Advanced email security solutions like Vade for M365 can filter malicious emails containing open redirect links and prevent them from reaching users. Phishing awareness training can teach users to identify the signs of phishing and report suspicious emails for remediation. And other measures, such as adopting multifactor authentication (MFA) and enforcing strong password policies, can limit the risk of exploitation before or after a successful compromise.