External Redirect

Reference

Plugin Id: 20019

Resource

https://expressjs.com/en/5x/api.html#res.redirect

Remediation

To prevent this type of issue, limit redirects to relative paths or to a mapping of URLS to URL IDs to prevent URL from being input by users. If user input MUST be passed, be sure to validate the resources are located where you intend them to be; i.e. strip protocol information if found if all of your redirects should be local.

Example of limiting redirects to relative paths:

// Get the redirect URL from user input
$redirectUrl = $_GET['redirect'];

// Validate that the redirect URL is a relative path
if (strpos($redirectUrl, '/') === 0) {
    // Redirect to the relative path
    header('Location: ' . $redirectUrl);
} else {
    // Handle the error or redirect to a default page
    // ...
}

Example of using a mapping of URLs to URL IDs:

// Define a mapping of URL IDs to URLs
$urlMapping = [
    '1' => 'https://example.com',
    '2' => 'https://example.org',
    // ...
];

// Get the URL ID from user input
$urlId = $_GET['urlId'];

// Validate that the URL ID exists in the mapping
if (isset($urlMapping[$urlId])) {
    // Redirect to the corresponding URL
    header('Location: ' . $urlMapping[$urlId]);
} else {
    // Handle the error or redirect to a default page
    // ...
}

About

The vulnerability “External Redirect” occurs when an attacker is able to manipulate the redirect URL in an application. This allows the attacker to trick users into following links to malicious resources from an application they trust.

Risks

An attacker can use this vulnerability to deceive users into visiting malicious websites or downloading harmful files. This can lead to various security risks, such as:

Phishing attacks: The attacker can redirect users to fake websites that mimic legitimate ones, tricking them into entering sensitive information like passwords or credit card details.
Malware downloads: The attacker can redirect users to websites that automatically download malware onto their devices, compromising their security and privacy.
Drive-by downloads: The attacker can redirect users to websites that exploit vulnerabilities in their browsers or plugins, leading to the automatic download and execution of malicious code.
Browser hijacking: The attacker can redirect users to websites that modify their browser settings, such as changing the default search engine or installing unwanted browser extensions.

It is important to address this vulnerability to protect users from falling victim to these risks.