Do you remember the last time we discussed OWASP A10- Invalidated Open Redirects and Forwards? It was our OWASP educative series and we helped you understand how unauthorized redirects trick your customers. Here’s a snapshot for that:

How could someone suspect that they’ll be redirected to gettingrobbed.com that looks exactly like rfish.com? Attackers can make users give credentials, purchase random stuff, or even transfer money.

And if you thought that only small businesses fall trap to this, it’d be surprising how redirect authorization is often overlooked.

In one of the most shocking incidents, 31 of the Google domains have been found to be vulnerable to this attack.

Take this domain for instance: https://asia.google.com/search?btnI&q=http://www.indusface.com

You can change the highlighted part to any website of your choice and the user will be redirected to that domain, without any redirect check. While a user will click on it thinking of it as a google domain, it’s not exactly that.

How attackers use it?

Let’s assume your company has absolutely no idea of which domains might be used to trigger redirects and an attacker finds it out.

www.yourcompany.com/ btnI&q=attacker.com

Now this ‘attacker.com’ is a complete copy of your website. It doesn’t matter if you’re in ecom, banking, insurance, or something else. Attackers can make your customers fill in on any details at the cost your trust built over several years.

Note: Often these open redirection URLs are not so simple to detect. It can be something subtle like www.yourcompany.com/ btnI&q=lkht.io

Google Domains Found Vulnerable

Google failed to validate at least 31 URLs (that we know of) at the application layer. Here’s the list. You can go ahead and click on any of these to see where it takes you to.

1. https://asia.google.com/search?btnI&q=http://www.indusface.com/blog
2. http://blogsearch.google.com/search?btnI&q=https://indusface.com/blog/
3. http://clients1.google.com/search?btnI&q=http://www.indusface.com/blog
4. http://images.google.com/search?btnI&q=http://www.indusface.com/blog
5. http://mail.google.com/search?btnI&q=http://www.indusface.com/blog
6. http://map.google.com/search?btnI&q=http://www.indusface.com/blog
7. http://www.google.com/search?btnI&q=allinurl:https://www.indusface.com/blog
8. http://appengine.google.com/_ah/logout?continue=http://indusface.com/blog
9. https://accounts.google.com/Logout?continue=https://appengine.google.com/_ah/logout?continue=http://indusface.com/blog (user must be logged out)
10. https://google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue=http://indusface.com/blog (user must be logged out)
11. https://www.google.com/search?source=www.indusface.com&hl=www.indusface.com &q=www.indusface.com&btnG=www.indusface.com &btnI=www.indusface.com
12. https://www.google.co.nz/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com
13. https://www.google.lk/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com
14. https://www.google.com.lb/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com
15. https://www.google.la/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com
16. https://www.google.kz/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com
17. https://www.google.com.kw/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com
18. https://www.google.co.kr/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com
19. https://www.google.kg/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com
20. https://www.google.ki/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com
21. https://www.google.co.ke/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com
22. https://www.google.co.jp/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com
23. https://www.google.jo/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com
24. https://www.google.com.jm/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com
25. https://www.google.je/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com
26. https://www.google.it/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com
27. https://www.google.is/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com 
28. https://www.google.im/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com 
29. https://www.google.ie/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com
30. https://www.google.iq/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com 
31. https://www.google.co.id/search?source=www.indusface.com&hl=www.indusface.com&q=www.indusface.com&btnG=www.indusface.com&btnI=www.indusface.com

How to Protect Your Website from Open Redirects?

With dozens of domains and hundreds of web applications, it is often difficult for business owners and security personnel to keep tab on all of them. It is critical to have a mechanism in place that at least checks and reports Unauthorized Redirect vulnerability. Patching the issue should be the second step.

Since online business activities are volatile, continuous and manual security checks cannot be tied to them. Indusface Total Application Security portal is designed to warn you of such vulnerabilities under the critical category. While web application scanning continuously looks for such issues, our web application firewall blocks unvalidated redirects from your domains. You can even request for custom POCs from our experts to understand how a hacker can use the vulnerability to attack you and your customers.

Founder & Chief Marketing Officer, Indusface

Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.