Information Security Asked by Tomi Begher on October 28, 2021
I found a website that has the parameter post_login_redirect=
I can change to any existing and non-exisiting subdomains, but there is no possibility to redirect to another domain. The redirect occurs after the user logs in.
For example:
we have sub.domain.com
and we can change to anything if we respect the domain.com
. so we can redirect to a.b.c.b.domain.com
even if that subdomain doesn’t exist, it will redirect anyway. But we can’t redirect to a.hello.com
This is not an open redirect issue, because we can only redirect to subdomains that we don’t own.
Is there any possibility to chain this or make this a real vulnerability?
Except for special circumstances (see below) or an especially high-security environment like online banking (then they should use a whitelist of destinations, or perhaps not redirect at all), I would say that this is not a risk worth mentioning. If you can't redirect to anything that is fully or even partially under the control of an attacker, there isn't really any risk.
There are quite a few things that might be attacked-controlled or influenced, though. Consider:
https://[email protected]
recognized to be under the control of hello.com
rather than domain.com
?DESKTOP-9BA5A95.dyn.domain.com
or 80-100-131-150.employees.domain.com
, can employees request firewall exceptions? I.e. could someone with low privileges (the proverbial cleaning lady/man) setup a web server somewhere on one of these desktops and trick other users into using the redirect? (This sort of thing used to be more common in the past, probably almost non-existent in 2020.)some-keyword.domain.com
and buy an ad for some-keyword
, hoping the user thinks the ad looks legitimate and clicks it?There are quite a few options here, but some rely on other vulnerabilities being present and others won't be common or very practical.
Answered by Luc on October 28, 2021
Who would be affected if this was a valid Open redirect attack, if it only redirects to its subdomains. If we can redirect it to a subdomain that then navigates the user to an untrusted domain, we can speak about a valid Open Redirection attack.
Low: post_login_redirect=sub.domain.com
High: post_login_redirect=sub.domain.com/?a=http://www.untrust.ed
Answered by user211258 on October 28, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP