Skip to content

Commit

Permalink
Merge pull request #542 from digininja/open_redirect
Browse files Browse the repository at this point in the history
Open redirect
  • Loading branch information
digininja authored Mar 10, 2023
2 parents 29dab22 + 513a134 commit 897fb0f
Show file tree
Hide file tree
Showing 10 changed files with 275 additions and 0 deletions.
1 change: 1 addition & 0 deletions dvwa/includes/dvwaPage.inc.php
Original file line number Diff line number Diff line change
Expand Up @@ -279,6 +279,7 @@ function dvwaHtmlEcho( $pPage ) {
if (dvwaCurrentUser() == "admin") {
$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'authbypass', 'name' => 'Authorisation Bypass', 'url' => 'vulnerabilities/authbypass/' );
}
$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'open_redirect', 'name' => 'Open HTTP Redirect', 'url' => 'vulnerabilities/open_redirect/' );
}

$menuBlocks[ 'meta' ] = array();
Expand Down
57 changes: 57 additions & 0 deletions vulnerabilities/open_redirect/help/help.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
<div class="body_padded">
<h1>Help - Open HTTP Redirect</h1>

<div id="code">
<table width='100%' bgcolor='white' style="border:2px #C0C0C0 solid">
<tr>
<td><div id="code">
<h3>About</h3>
<p>
OWASP define this as:
</p>
<blockquote cite="https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html">
Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.
</blockquote>

<p>As suggested above, a common use for this is to create a URL which initially goes to the real site but then redirects the victim off to a site controlled by the attacker. This site could be a clone of the target's login page to steal credentials, a request for credit card details to pay for a service on the target site, or simply a spam page full of advertising.</p>

<br /><hr /><br />

<h3>Objective</h3>
<p>Abuse the redirect page to move the user off the DVWA site or onto a different page on the site than expected.</p>

<br /><hr /><br />

<h3>Low Level</h3>
<p>The redirect page has no limitations, you can redirect to anywhere you want.</p>
<p>Spoiler: <span class="spoiler">Try browsing to /vulnerabilities/open_redirect/source/low.php?redirect=https://digi.ninja</span></p>

<br />

<h3>Medium Level</h3>
<p>The code prevents you from using absolute URLs to take the user off the site, so you can either use relative URLs to take them to other pages on the same site or a <a href="https://en.wikipedia.org/wiki/Wikipedia:Protocol-relative_URL" target="_blank">Protocol-relative URL</a>.</p>

<p>Spoiler: <span class="spoiler">Try browsing to /vulnerabilities/open_redirect/source/low.php?redirect=//digi.ninja</span></p>

<br />

<h3>High Level</h3>
<p>The redirect page tries to lock you to only redirect to the info.php page, but does this by checking that the URL contains "info.php".</p>

<p>Spoiler: <span class="spoiler">Try browsing to /vulnerabilities/open_redirect/source/low.php?redirect=https://digi.ninja/?a=info.php</span></p>

<br />

<h3>Impossible Level</h3>
<p>Rather than accepting a page or URL as the redirect target, the system uses ID values to tell the redirect page where to redirect to. This ties the system down to only redirect to pages it knows about and so there is no way for an attacker to modify things to go to a page of their choosing.</p>

</div></td>
</tr>
</table>

</div>

<br />

<p>Reference: <?php echo dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/Password_cracking' ); ?></p>
</div>
60 changes: 60 additions & 0 deletions vulnerabilities/open_redirect/index.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
<?php

define( 'DVWA_WEB_PAGE_TO_ROOT', '../../' );
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';

dvwaPageStartup( array( 'authenticated', 'phpids' ) );

$page = dvwaPageNewGrab();
$page[ 'title' ] = 'Vulnerability: Open HTTP Redirect' . $page[ 'title_separator' ].$page[ 'title' ];
$page[ 'page_id' ] = 'open_redirect';
$page[ 'help_button' ] = 'open_redirect';
$page[ 'source_button' ] = 'open_redirect';
dvwaDatabaseConnect();

switch( dvwaSecurityLevelGet() ) {
case 'low':
$link1 = "source/low.php?redirect=info.php?id=1";
$link2 = "source/low.php?redirect=info.php?id=2";
break;
case 'medium':
$link1 = "source/medium.php?redirect=info.php?id=1";
$link2 = "source/medium.php?redirect=info.php?id=2";
break;
case 'high':
$link1 = "source/high.php?redirect=info.php?id=1";
$link2 = "source/high.php?redirect=info.php?id=2";
break;
default:
$link1 = "source/impossible.php?redirect=1";
$link2 = "source/impossible.php?redirect=2";
break;
}

$page[ 'body' ] .= "
<div class=\"body_padded\">
<h1>Vulnerability: Open HTTP Redirect</h1>
<div class=\"vulnerable_code_area\">
<h2>Hacker History</h2>
<p>
Here are two links to some famous hacker quotes, see if you can hack them.
</p>
<ul>
<li><a href='{$link1}'>Quote 1</a></li>
<li><a href='{$link2}'>Quote 2</a></li>
</ul>
{$html}
</div>
<h2>More Information</h2>
<ul>
<li>" . dvwaExternalLinkUrlGet( 'https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html', "OWASP Unvalidated Redirects and Forwards Cheat Sheet" ) . "</li>
<li>" . dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client-side_Testing/04-Testing_for_Client-side_URL_Redirect', "WSTG - Testing for Client-side URL Redirect") . "</li>
<li>" . dvwaExternalLinkUrlGet( 'https://cwe.mitre.org/data/definitions/601.html', "Mitre - CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" ) . "</li>
</ul>
</div>\n";

dvwaHtmlEcho( $page );

?>
21 changes: 21 additions & 0 deletions vulnerabilities/open_redirect/source/high.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
<?php

if (array_key_exists ("redirect", $_GET) && $_GET['redirect'] != "") {
if (strpos($_GET['redirect'], "info.php") !== false) {
header ("location: " . $_GET['redirect']);
exit;
} else {
http_response_code (500);
?>
<p>You can only redirect to the info page.</p>
<?php
exit;
}
}

http_response_code (500);
?>
<p>Missing redirect target.</p>
<?php
exit;
?>
29 changes: 29 additions & 0 deletions vulnerabilities/open_redirect/source/impossible.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
<?php

$target = "";

if (array_key_exists ("redirect", $_GET) && is_numeric($_GET['redirect'])) {
switch (intval ($_GET['redirect'])) {
case 1:
$target = "info.php?id=1";
break;
case 2:
$target = "info.php?id=2";
break;
case 99:
$target = "https://digi.ninja";
break;
}
if ($target != "") {
header ("location: " . $target);
exit;
} else {
?>
Unknown redirect target.
<?php
exit;
}
}

?>
Missing redirect target.
61 changes: 61 additions & 0 deletions vulnerabilities/open_redirect/source/info.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
<?php

define( 'DVWA_WEB_PAGE_TO_ROOT', '../../../' );
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';

dvwaPageStartup( array( 'authenticated', 'phpids' ) );

$page = dvwaPageNewGrab();
$page[ 'title' ] = 'Vulnerability: Open HTTP Redirect' . $page[ 'title_separator' ].$page[ 'title' ];
$page[ 'page_id' ] = 'open_redirect';
$page[ 'help_button' ] = 'open_redirect';
$page[ 'source_button' ] = 'open_redirect';
dvwaDatabaseConnect();

$info = "";

if (array_key_exists ("id", $_GET) && is_numeric($_GET['id'])) {
switch (intval ($_GET['id'])) {
case 1:
$info = "Why did he come to you?<br />I got a record, I was Zero Cool<br />Zero Cool. Crashed 1507 systems in one day, biggest crash in history, front page, New York Times August 10th 1988.";
break;
case 2:
$info = "Who are you anyway?<br />Johnny.<br />Johnny who?<br />Just... Johnny?";
break;
default:
$info = "Some other stuff";
}
}

if ($info == "") {
http_response_code (500);
?>
<p>Missing quote ID.</p>
<?php
exit;
}

$page[ 'body' ] .= "
<div class=\"body_padded\">
<h1>Vulnerability: Open HTTP Redirect</h1>
<div class=\"vulnerable_code_area\">
<h2>Hacker Quotes</h2>
<p>
{$info}
</p>
<p><a href='../'>Back</a></p>
{$html}
</div>
<h2>More Information</h2>
<ul>
<li>" . dvwaExternalLinkUrlGet( 'https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html', "OWASP Unvalidated Redirects and Forwards Cheat Sheet" ) . "</li>
<li>" . dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client-side_Testing/04-Testing_for_Client-side_URL_Redirect', "WSTG - Testing for Client-side URL Redirect") . "</li>
<li>" . dvwaExternalLinkUrlGet( 'https://cwe.mitre.org/data/definitions/601.html', "Mitre - CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" ) . "</li>
</ul>
</div>\n";

dvwaHtmlEcho( $page );

?>
13 changes: 13 additions & 0 deletions vulnerabilities/open_redirect/source/low.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
<?php

if (array_key_exists ("redirect", $_GET) && $_GET['redirect'] != "") {
header ("location: " . $_GET['redirect']);
exit;
}

http_response_code (500);
?>
<p>Missing redirect target.</p>
<?php
exit;
?>
21 changes: 21 additions & 0 deletions vulnerabilities/open_redirect/source/medium.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
<?php

if (array_key_exists ("redirect", $_GET) && $_GET['redirect'] != "") {
if (preg_match ("/http:\/\/|https:\/\//i", $_GET['redirect'])) {
http_response_code (500);
?>
<p>Absolute URLs not allowed.</p>
<?php
exit;
} else {
header ("location: " . $_GET['redirect']);
exit;
}
}

http_response_code (500);
?>
<p>Missing redirect target.</p>
<?php
exit;
?>
6 changes: 6 additions & 0 deletions vulnerabilities/view_source.php
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,12 @@
case "javascript" :
$vuln = 'JavaScript';
break;
case "authbypass" :
$vuln = 'Authorisation Bypass';
break;
case "open_redirect" :
$vuln = 'Open HTTP Redirect';
break;
default:
$vuln = "Unknown Vulnerability";
}
Expand Down
6 changes: 6 additions & 0 deletions vulnerabilities/view_source_all.php
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,12 @@
case "weak_id" :
$vuln = 'Weak Session IDs';
break;
case "authbypass" :
$vuln = 'Authorisation Bypass';
break;
case "open_redirect" :
$vuln = 'Open HTTP Redirect';
break;
default:
$vuln = "Unknown Vulnerability";
}
Expand Down

0 comments on commit 897fb0f

Please sign in to comment.