Unvalidated Redirects & Forwards

Slides:

Advertisements

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Advertisements

OWASP Web Vulnerabilities and Auditing

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

WEB BROWSER SECURITY By Robert Sellers Brian Bauer.

Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

The Internet & The World Wide Web Notes

Norman SecureSurf Protect your users when surfing the Internet.

SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.

BROWSERS & BROWSING What, Which & Why. WHAT IS A BROWSER? Once you have an Internet connection, some programs access the internet automatically to operate.

STAY SAFE ONLINE. STAY SAFE ONLINE! PLEASE MAKE SURE YOU LOGIN AT THE CORRECT BANK URL / ADDRESS 1.NEVER LOGIN VIA LINKS 2.NEVER REVEAL YOUR PIN.

OWASP Zed Attack Proxy Project Lead

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

How Can NRCS Clients Use the Conservation Client Gateway

Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.

OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.

Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.

Cross Site Scripting and its Issues By Odion Oisamoje.

PHISHING PRESENTED BY: ARQAM PASHA. AGENDA What is Phishing? Phishing Statistics Phishing Techniques Recent Examples Damages Caused by Phishing How to.

Adware and Browser Hijacker – Symptoms and Preventions /killmalware /u/2/b/ /alexwaston14/viru s-removal/ /channel/UC90JNmv0 nAvomcLim5bUmnA.

Regan Little. Definition Methods of Screening Types of Firewall Network-Level Firewalls Circuit-Level Firewalls Application-Level Firewalls Stateful Multi-Level.

Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.

Basic Internet Skills. What is the internet? A large group of computers connected to one another Its purpose is to send information back and forth to.

Agenda Spoofing Types of Spoofing o IP Spoofing o URL spoofing o Referrer spoofing o Caller ID spoofing o Address Spoofing.

Presented by: SBS CyberSecurity © SBS CyberSecurity, LLC

Applicant Profile® G.A.T.E.® Test Administration Training UPS MAPP.

The Role of Tool Support in Public Policies and Accessibility

COMP9321 Web Application Engineering Semester 2, 2017

Customer Profile: If you have tech savvy customers, having your site secured for mobile users is recommended. Business Needs: With the growing number.

Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory

Module: Software Engineering of Web Applications

CSCE 548 Student Presentation Ryan Labrador

Web Application Vulnerabilities

Web Application Bug Hunting

Chapter 10: Web Basics.

Security of Digital Signatures

How Can NRCS Clients Use the Conservation Client Gateway

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

TOPIC: Web Security (Part-4)

ISYM 540 Current Topics in Information System Management

PAYMENT GATEWAY Presented by SHUJA ASHRAF SHAH ENROLL: 4471

Lesson 3 Safe Computing.

J. Bradley Sanso H. Tschofenig

Symantec Code Signing Certificate

Cross Sight scripting: Type-2

Social Media Cybersafety.

SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou, and David Evans 23rd USENIX Security Symposium, August,

Microsoft FrontPage 2003 Illustrated Complete

Best SEO Tips to Make Your Website Stand Out. SEARCH ENGINE OPTIMIZATION It is essential that you implement Search Engine Optimization strategies to make.

Cybersecurity Awareness

INF 103 Education for Service-- snaptutorial.com.

INF 103 Teaching Effectively-- snaptutorial.com

INF 103 Education for Service-- tutorialrank.com

Risk of the Internet At Home

Content current as of: 20 November 2017

Web Security Advanced Network Security Peter Reiher August, 2014

9 ways to avoid viruses and spyware

Single Sign On Glen Dorton 1/18/2019.

Using analytics to drive traffic

CS5123 Software Validation and Quality Assurance

Protecting Against Common Web Application Vulnerabilities

Web Servers (IIS and Apache)

Exploring DOM-Based Cross Site Attacks

Presentation transcript:

Unvalidated Redirects & Forwards Rick Stroud 28 July 2016 CSCE 548 Student Presentation

Agenda By the conclusion of this presentation you will be able to answer the following 4 questions concerning Unvalidated Redirects & Forwards Q1) What Is It? Q2) What Is The Risk? Q3) How To Prevent It? Q4) How to Detect It?

What is a Redirect & Forward? Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages1. response.sendRedirect("http://www.SomeSite.com"); www.SomeSite.com/RedirectMe.jsp?Destination=AnotherSite.com #10 on OWASP Top 10 Vulnerabilities 1https://www.owasp.org/index.php/Top_10_2013-Top_10

Are All Redirect & Forwards Bad? There are legitimate reasons why an application may need to redirect a user For example, after authentication some websites take users to their personally defined home page If you have ever visited a website on a mobile device and been automatically taken to the mobile version of the site you have likely encountered a redirect or forward Redirects & Forwards are a key part of internet & email marketing

What Google Says “We recognize that the address bar is the only reliable security indicator in modern browsers; consequently, we hold that the usability and security benefits of a small number of well-designed and closely monitored redirectors outweigh their true risks.”2,3 2https://www.google.com/about/appsecurity/reward-program/ 3https://www.credera.com/blog/technology-insights/java/top-10-web-security-risks-unvalidated-redirects-forwards-10/

Example – Non Malicious

When Are Redirect & Forwards Bad? When the destination of the redirect & forward are vulnerable to tampering This includes redirecting to user supplied destinations Any time destination of redirection cannot be validated, risk exists

When Can User Input be Trusted? never

What is the Risk? Risk is essentially, Cross-Site Scripting This has been well covered already by other presentations Anytime the destination address can be modified the user can be taken to a site with malicious intent Commonly used in phishing attacks

How to Prevent Risk? Simply avoid using redirects and forwards. If used, do not allow the url as user input for the destination. At a minimum, have a method to validate URL. If user input is required, make sure the value is valid, appropriate within the context of the application, and the user is authorized to access the destination Rather than using user input directly, map limited set of possible input values to a domain of allowed destination URLs. Store list of trusted URLs securely, not in source code. Notify all users when a redirect happens, especially if they are leaving your site, and require click confirmation. 4https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet

Example of a valid redirect? To prevent tampering, encode parameters

How To Detect? In your own code, standard code review. Tools - A redirect normally returns an HTTP code in the 300-307 range, www.redirect-checker.org

What OWASP Has To Say5 Exploitability – Average Prevalence – Uncommon Detectability – Easy Technical Impact – Moderate Business Impact – Varies, application specific, may undermine trust 5https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards

Bonus Example – Email Newsletter Take the newsletter below & the unsubscribe link

Example – Email Newsletter The Unsubscribe link goes to http://eepurl.us7.list-manage.com/track/click? u=aff97178dc9be0c5fe5c1355d& id=dae1130494& e=e80a689799 And Redirects the user to the link below http://yahoo.us7.list-manage1.com/subscribe? id=4782b1a8b6 The parameters in the redirect encode both the destination to redirect the user to and the identity of the recipient.

Microsoft Engineering Excellence Questions? Microsoft Confidential

Reference Summary 1 https://www.owasp.org/index.php/Top_10_2013-Top_10 2 https://www.google.com/about/appsecurity/reward-program/ 3 https://www.credera.com/blog/technology-insights/java/top-10-web-security-risks-unvalidated-redirects-forwards-10/ 4https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet 5https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards