CWE-601 指向未可信站点的URL重定向(开放重定向)
URL Redirection to Untrusted Site ('Open Redirect')
结构: Simple
Abstraction: Base
状态: Draft
被利用可能性: Low
基本描述
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
扩展描述
An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 610 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 610 cwe_View_ID: 1003 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 20 cwe_View_ID: 699 cwe_Ordinal: Primary
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
Paradigm: {'cwe_Name': 'Web Based', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Access Control | ['Bypass Protection Mechanism', 'Gain Privileges or Assume Identity'] | The user may be redirected to an untrusted page that contains malware which may then compromise the user's machine. This will expose the user to extensive risk and the user's interaction with the web server may also be compromised if the malware conducts keylogging or other attacks that steal credentials, personally identifiable information (PII), or other important data. |
| ['Access Control', 'Confidentiality', 'Other'] | ['Bypass Protection Mechanism', 'Gain Privileges or Assume Identity', 'Other'] | The user may be subjected to phishing attacks by being redirected to an untrusted page. The phishing attack may point to an attacker controlled web page that appears to be a trusted web site. The phishers may then steal the user's credentials and then use these credentials to access the legitimate web site. |
检测方法
DM-10 Manual Static Analysis
Automated Dynamic Analysis
Automated Static Analysis
Other
Automated Static Analysis - Binary or Bytecode
According to SOAR, the following detection techniques may be useful:
- Bytecode Weakness Analysis - including disassembler + source code weakness analysis
- Binary Weakness Analysis - including disassembler + source code weakness analysis
Dynamic Analysis with Automated Results Interpretation
According to SOAR, the following detection techniques may be useful:
- Web Application Scanner
- Web Services Scanner
- Database Scanners
Dynamic Analysis with Manual Results Interpretation
According to SOAR, the following detection techniques may be useful:
- Fuzz Tester
- Framework-based Fuzzer
Manual Static Analysis - Source Code
According to SOAR, the following detection techniques may be useful:
- Manual Source Code Review (not inspections)
Automated Static Analysis - Source Code
According to SOAR, the following detection techniques may be useful:
- Source code Weakness Analyzer
- Context-configured Source Code Weakness Analyzer
Architecture or Design Review
According to SOAR, the following detection techniques may be useful:
- Formal Methods / Correct-By-Construction
- Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)
可能的缓解方案
MIT-5 Implementation
策略: Input Validation
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Use a whitelist of approved URLs or domains to be used for redirection.
Architecture and Design
策略:
Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page.
MIT-21.2 Architecture and Design
策略: Enforcement by Conversion
When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
For example, ID 1 could map to "/login.asp" and ID 2 could map to "http://www.example.com/". Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability.
Architecture and Design
策略:
Ensure that no externally-supplied requests are honored by requiring that all redirect requests include a unique nonce generated by the application [REF-483]. Be sure that the nonce is not predictable (CWE-330).
MIT-6 ['Architecture and Design', 'Implementation']
策略: Attack Surface Reduction
Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.
Many open redirect problems occur because the programmer assumed that certain inputs could not be modified, such as cookies and hidden form fields.
MIT-29 Operation
策略: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth.
示例代码
例
The following code obtains a URL from the query string and then redirects the user to that URL.
bad PHP
header("Location: " . $redirect_url);
The problem with the above code is that an attacker could use this page as part of a phishing scam by redirecting users to a malicious site. For example, assume the above code is in the file example.php. An attacker could supply a user with the following link:
attack
The user sees the link pointing to the original trusted site (example.com) and does not realize the redirection that could take place.
例
The following code is a Java servlet that will receive a GET request with a url parameter in the request to redirect the browser to the address specified in the url parameter. The servlet will retrieve the url parameter value from the request and send a response to redirect the browser to the url address.
bad Java
if (query.contains("url")) {
response.sendRedirect(url);
}
}
}
The problem with this Java servlet code is that an attacker could use the RedirectServlet as part of a e-mail phishing scam to redirect users to a malicious site. An attacker could send an HTML formatted e-mail directing the user to log into their account by including in the e-mail the following link:
attack HTML
The user may assume that the link is safe since the URL starts with their trusted bank, bank.example.com. However, the user will then be redirected to the attacker's web site (attacker.example.net) which the attacker may have made to appear very similar to bank.example.com. The user may then unwittingly enter credentials into the attacker's web page and compromise their bank account. A Java servlet should never redirect a user to a URL without verifying that the redirect address is a trusted site.
分析过的案例
| 标识 | 说明 | 链接 |
|---|---|---|
| CVE-2005-4206 | URL parameter loads the URL into a frame and causes it to appear to be part of a valid page. | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4206 |
| CVE-2008-2951 | An open redirect vulnerability in the search script in the software allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL as a parameter to the proper function. | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2951 |
| CVE-2008-2052 | Open redirect vulnerability in the software allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the proper parameter. | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2052 |
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| WASC | 38 | URl Redirector Abuse | |
| Software Fault Patterns | SFP24 | Tainted input to command |
引用
-
REF-483 Exploitable Redirects on the Web: Identification, Prevalence, and Defense
-
REF-484 Open redirect vulnerabilities: definition and prevention
文章来源于互联网:scap中文网
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论