TransWikia.com

Is there a vulnerability in subdomain redirection, similar to Open Redirect

Information Security Asked by Tomi Begher on October 28, 2021

I found a website that has the parameter post_login_redirect= I can change to any existing and non-exisiting subdomains, but there is no possibility to redirect to another domain. The redirect occurs after the user logs in.

For example:

we have sub.domain.com and we can change to anything if we respect the domain.com. so we can redirect to a.b.c.b.domain.com even if that subdomain doesn’t exist, it will redirect anyway. But we can’t redirect to a.hello.com

This is not an open redirect issue, because we can only redirect to subdomains that we don’t own.

Is there any possibility to chain this or make this a real vulnerability?

2 Answers

Except for special circumstances (see below) or an especially high-security environment like online banking (then they should use a whitelist of destinations, or perhaps not redirect at all), I would say that this is not a risk worth mentioning. If you can't redirect to anything that is fully or even partially under the control of an attacker, there isn't really any risk.

There are quite a few things that might be attacked-controlled or influenced, though. Consider:

  • Can employees of the company request subdomains and run something insecure there?
  • Can you register a subdomain? (E.g. if it's a webhosting company.)
  • What if you enter an IP address instead of a (sub)domain? Can you format the IP like http://0x50.031101626?
  • Does the URL parser properly check the URL, e.g. is something like https://[email protected] recognized to be under the control of hello.com rather than domain.com?
  • Would switching protocols or using a different port help at all?
  • If desktops can be resolved with something like DESKTOP-9BA5A95.dyn.domain.com or 80-100-131-150.employees.domain.com, can employees request firewall exceptions? I.e. could someone with low privileges (the proverbial cleaning lady/man) setup a web server somewhere on one of these desktops and trick other users into using the redirect? (This sort of thing used to be more common in the past, probably almost non-existent in 2020.)
  • Some DNS resolvers and scummy ISPs (like the German Telekom) inject ads when a domain cannot be found. Can you redirect to a nonexistent subdomain like some-keyword.domain.com and buy an ad for some-keyword, hoping the user thinks the ad looks legitimate and clicks it?

There are quite a few options here, but some rely on other vulnerabilities being present and others won't be common or very practical.

Answered by Luc on October 28, 2021

Who would be affected if this was a valid Open redirect attack, if it only redirects to its subdomains. If we can redirect it to a subdomain that then navigates the user to an untrusted domain, we can speak about a valid Open Redirection attack.

Low: post_login_redirect=sub.domain.com
High: post_login_redirect=sub.domain.com/?a=http://www.untrust.ed

Answered by user211258 on October 28, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP