Why Open Redirect URLS?
I've been going through the OWASP top 10 to get a deeper understanding of each specific type of vulnerability. I've made my way to the last item, Unvalidated URL Redirects. I understand the attack; such a phishing scheme seems completely obviously now that I have read about it in OWAS开发者_高级运维P. What I am struggling to understand is why this style of redirecting ever occurs in the first place.
There must be some advantage(s) to including the redirect URL as a parameter in the URL
ie example.com/go.php?url=newpage.php
rather than using many of the other possible redirect schemes. Even if the url parameter is generated dynamically, couldn't it still be sent through POST to prevent the creation of malicious URLS? Why does Google allow anyone to send "I'm Feeling Lucky" redirect urls like this one that goes to Stack Overflow?
This question is a bit old now, but I'll have a go at answering it for you anyway in case you're still curious, or forgot about it completely. :)
Here are the two most common use cases for adding redirect parameters that I can think of:
As a way of monitoring or warning users when they are leaving the site. On websites that want to track trends and user traffic, like Twitter with its URL shorteners, or Google with search tracking, this can be used to find out where users are going next. Websites might also scrutinize the URL and check to see if it's safe first, or just present the user with a 'leaving page' that warns them that they're leaving the domain.
To remember what a user's intention was before they were necessarily diverted. For instance, a user might have tried to go directly to their account page, but they need to be redirected to the login page to sign in first. Once this is successful, the user is directed back to the page they were originally trying to access, rather than a default page, aiding continuity.
In the second case, the intended URL could indeed be passed as a hidden parameter, or as a cookie. However, both of these techniques could still be vulnerable to abuse in the same way as OWASP identifies... except possibly where the URL is stored as a session variable on the server side.
精彩评论