Difference between revisions of "OWASP Periodic Table of Vulnerabilities - URL Redirector Abuse"

From OWASP
Jump to: navigation, search
m
m
Line 17: Line 17:
 
=== Generic Framework Solution ===
 
=== Generic Framework Solution ===
  
The framework should expose a configurable white list of hosts and/or paths that are acceptable targets for URL redirection. This might include additional rules about stripping [https://en.wikipedia.org/wiki/Fragment_identifier|URL fragments] and URL parameters from the redirection target. The default rule set should allow only relative URLs to prevent redirection away from the original site.
+
The framework should expose a configurable white list of hosts and/or paths that are acceptable targets for URL redirection. This might include additional rules about stripping [https://en.wikipedia.org/wiki/Fragment_identifier|URL fragments] and URL parameters from the redirection target. The default rule set should allow only relative URLs, in order to prevent redirection away from the original site.
  
 
The framework should prevent application code from directly modifying Location, Refresh, or any other response headers that might be used by the browser to load URL resources. The framework should prevent the use of document.location and window.location in JavaScript. Instead, the framework should expose an API for URL redirection which can accept an arbitrary URL, but applies the white list rules and transformations before allowing the redirect.
 
The framework should prevent application code from directly modifying Location, Refresh, or any other response headers that might be used by the browser to load URL resources. The framework should prevent the use of document.location and window.location in JavaScript. Instead, the framework should expose an API for URL redirection which can accept an arbitrary URL, but applies the white list rules and transformations before allowing the redirect.

Revision as of 14:09, 14 May 2013

Return to Periodic Table Working View

Contents

URL Redirector Abuse

Root Cause Summary

Applications accept arbitrary user-defined URLs as input, which are then used as targets for redirection. Users may be unwittingly rerouted to a malicious site from a site they trust.

Browser / Standards Solution

None

Perimeter Solution

None

Generic Framework Solution

The framework should expose a configurable white list of hosts and/or paths that are acceptable targets for URL redirection. This might include additional rules about stripping fragments and URL parameters from the redirection target. The default rule set should allow only relative URLs, in order to prevent redirection away from the original site.

The framework should prevent application code from directly modifying Location, Refresh, or any other response headers that might be used by the browser to load URL resources. The framework should prevent the use of document.location and window.location in JavaScript. Instead, the framework should expose an API for URL redirection which can accept an arbitrary URL, but applies the white list rules and transformations before allowing the redirect.

Session expiration code and code which handles unauthenticated deep linking should automatically apply the white list when attempting to redirect back to a requested URL after successful authentication.

Custom Framework Solution

None

Custom Code Solution

None

Discussion / Controversy

References

OWASP Top 10 2010 - A10 Unvalidated Redirects and Forwards
Redirector Abuse (WASC)
URL Redirection to Untrusted Site