URL redirect/jump vulnerability explanation-vulnerability warning-the black bar safety net

2013-01-09T00:00:00
ID MYHACK58:62201336634
Type myhack58
Reporter 佚名
Modified 2013-01-09T00:00:00

Description

0x00 relevant background information

Due to the application of more and more needs and other third party interactive applications, as well as in its own internal Application according to a different logic the user will be directed to a different page, for example, a typical login interface is often required after successful authentication the user is directed to login before the page, the whole process if implemented poorly it could lead to some security issues, specific conditions may cause serious security vulnerabilities.

0x01 causes

For the URL to jump to achieve generally there will be a few ways:

  1. META tags within the jump
  2. javascript jump
  3. header header to jump

By TO GET or POST the way to receive is going to jump to the URL, and then through the above several ways the one to jump to the target URL. On the one hand, due to the user's input into the Meta, javascript, http headers and so are likely to occur corresponding to the context of vulnerability, such asxss, and so on, but at the same time, even if just for the URL of the jump itself in terms of functionality there is a defect, because the user's browser from a trusted site Guide to untrusted site, and if the jump time with sensitive data may be sensitive data leakage to untrusted third party.

For example, a typical login jump are as follows:

<? php $url=$_GET['jumpto']; header("Location: $url"); ?>

If the jumpto does not have any restrictions, so a malicious user can submit

http://www.xxx.net/login.php?jumpto=http://www.evil.com

To generate their own malicious links, the security consciousness is LOW the user is likely to think the links show the content is www. tick. org which may result in fraud, and because of the QQ, Taobao wangwang and other online IM are URL-based filtering, while for some sites a white list of the way to let go, so lead to a malicious URL in an IM can be spread, resulting in harm, such as where IM will be considered www.wooyun.org 都 是 可信 的 that 但是 通过 在 IM 里 点击 上述 链接 将 导致 用户 最终 访问 evil.com the.

0x02 attacks and crimes against

Malicious users can borrow a URL jump vulnerability to spoofing security awareness low users, resulting in“winning”like fraud, which for some have an online business of companies such as Taobao, etc., great harm, while by means of the URL of the jump, you can also break common based on the“White List mode”of some security restrictions, such as traditional IM in for the URL of the propagation will be a security check, but for the large companies of the domain name and URL will be directly allowed to pass and the display will be the credibility of the URL, once the URL contains some jump vulnerability may cause security restrictions to be bypassed.

If you reference some resource limit is dependent on the“White List mode”, the same could be bypassed leading to security risk, such as common in some applications to allow the introduction of credible sites such as youku. com video, to limit the ways tend to be Check whether the URL is youku. com to achieve, if youku. com contains an url jump vulnerability, will lead to the eventual introduction of the resources belong to the untrusted third-party resources or malicious sites that ultimately lead to security issues.

0x03 actual case

a Tick: Baidu a URL jump vulnerability

By url jump break IM the security check, so the spread of malicious URL

b Tick: the fifth experience using the Taobao website jump network fishing

By url jump cheat trading users to the URL of the trust, in order to achieve fraud

c http://hi.baidu.com/rayh4c/blog/item/8fde4b23ffa2045e9822edb9.html

Through the URL to jump to bypass the application of the referenced resource constraints, resulting in security vulnerabilities

[1] [2] next