Managed WAF

Starts at $99

Guided onboarding, monitoring of latency, false positives, and DDoS attacks, custom rules, and more

Try Free For 14 Days

31 Google URLs Vulnerable to Open Redirect

Posted DateJuly 12, 2016
Posted Time 2   min Read

Do you remember the last time we discussed OWASP A10- Invalidated Open Redirect and Forwards? It was our OWASP educative series and we helped you understand how unauthorized redirects trick your customers. Here’s a snapshot for that:

How could someone suspect that they’ll be redirected to gettingrobbed.com that looks exactly like rfish.com? Attackers can make users give credentials, purchase random stuff, or even transfer money.

And if you thought that only small businesses fall trap to this, it’d be surprising how to redirect authorization is often overlooked.

In one of the most shocking incidents, 31 of the Google domains have been found to be vulnerable to this attack.

Is your website vulnerable too? Take AppTrana Free Trail for Open Redirection.

Take this domain for instance: https://asia.google.com/search?btnI&q=http://www.indusface.com

You can change the highlighted part to any website of your choice and the user will be redirected to that domain, without any redirect check. While a user will click on it thinking of it as a google domain, it’s not exactly that.

How attackers use it?

Let’s assume your company has absolutely no idea of which domains might be used to trigger redirects and an attacker finds it out.

www.yourcompany.com/ btnI&q=attacker.com

Now this ‘attacker.com’ is a complete copy of your website. It doesn’t matter if you’re in econ, banking, insurance, or something else. Attackers can make your customers fill in on any details at the cost your trust built over several years.

Note: Often these open redirection URLs are not so simple to detect. It can be something subtle like www.yourcompany.com/ btnI&q=lkht.io

Google Domains Found Vulnerable

Google failed to validate at least 31 URLs (that we know of) at the application layer. Here’s the list. You can go ahead and click on any of these to see where it takes you to.

1. https://asia.google.com/search?btnI&q=http://www.indusface.com/blog
2. http://blogsearch.google.com/search?btnI&q=https://indusface.com/blog/
3. http://clients1.google.com/search?btnI&q=http://www.indusface.com/blog
4. http://images.google.com/search?btnI&q=http://www.indusface.com/blog
5. http://mail.google.com/search?btnI&q=http://www.indusface.com/blog
6. http://map.google.com/search?btnI&q=http://www.indusface.com/blog
7. http://www.google.com/search?btnI&q=allinurl:https://www.indusface.com/blog/blog
8. http://appengine.google.com/_ah/logout?continue=http://indusface.com/blog
9. https://accounts.google.com/Logout?continue=https://appengine.google.com/_ah/logout?continue=http://indusface.com/blog (user must be logged out)
10. https://google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue=http://indusface.com/blog (user must be logged out)
11. https://www.google.com/search?source=www.indusface.com&hl=www.indusface.com &q=www.indusface.com&btnG=www.indusface.com &btnI=www.indusface.com
12. https://www.google.co.nz/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com
13. https://www.google.lk/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com
14. https://www.google.com.lb/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com
15. https://www.google.la/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com
16. https://www.google.kz/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com
17. https://www.google.com.kw/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com
18. https://www.google.co.kr/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com
19. https://www.google.kg/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com
20. https://www.google.ki/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com
21. https://www.google.co.ke/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com
22. https://www.google.co.jp/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com
23. https://www.google.jo/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com
24. https://www.google.com.jm/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com
25. https://www.google.je/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com
26. https://www.google.it/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com
27. https://www.google.is/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com 
28. https://www.google.im/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com 
29. https://www.google.ie/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com
30. https://www.google.iq/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com 
31. https://www.google.co.id/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com

How to Protect Your Website from Open Redirects?

With dozens of domains and hundreds of web applications, it is often difficult for business owners and security personnel to keep a tab on all of them. It is critical to have a mechanism in place that at least checks and reports Unauthorized Redirect vulnerability. Patching the issue should be the second step.

Since online business activities are volatile, continuous and manual security checks cannot be tied to them. AppTrana Free Website Scan is designed to warn you of such vulnerabilities under the critical category. While web application scanning continuously looks for such issues, our web application firewall blocks unvalidated redirects from your domains. You can even request custom POCs from our experts to understand how a hacker can use the vulnerability to attack you and your customers.

web application security banner

Venkatesh Sundar

Venky is an Application Security technologist who built the new age Web application Scanner and Cloud WAF - AppTrana at Indusface as a Founding CTO. Currently, he spends his time on driving Product Roadmap, Customer Success, Growth, and technology adoption for US businesses.

Share Article:

Join 47000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.