Exploiting Redirect Page Vulnerability

April 2, 2013, by | Start Discussion

“If it ain’t broke, don’t fix it” is a wide spread phrase. Web developers usually develop applications based on this criteria and often forgets about security. This article discusses about such a security issue often neglected by developers.

When creating protected parts of a web application, developers checks whether the user is actually authorized to access the same or not. If the user is authorized, all are fine and the access permission is granted. If in case the user is not authorized a simple redirect is used to redirect user to a different section or page, like a log in page.

All looks neat from a developer’s perspective and it works without any issue. However, in some cases, the application keeps on sending the confidential part of the web application even after redirecting the user. Usually this won’t create any problems as the user is actually redirected and won’t be able to see rest of the page. Moreover, all these happens so quick that the users won’t even notice what is happening.

This is where the No-Redirect extension of OWASP Mantra comes in to the picture. It allows user to take the complete control over automatic redirects in web pages. Thus making it possible to actually stop the redirect and see the rest of the page getting loaded.

In this article, such a security issue in one of the popular content management system is explored. ChillyCMS is a content management system written in PHP and is available for free. The administration panel of ChillyCMS can be accessed at localhost/ChillyCMS/admin/. It redirects users to a log in page if a valid session is not found.

In order to stop this redirection, a rule has to be added to No-Redirect in OWASP Mantra.
No-Redirect can be accessed at OWASP Mantra menu -> Tools -> Application Auditing -> No-Redirect.

Since the requirement is to control all automatic redirect on www.example.com, the following rule has to be added:
^http://localhost/ChillyCMS/

Once it is done, just visit the admin page again and the page grants complete access to the administration panel.

There are many web applications out there vulnerable to this particular issue. Almost a year back, a similar issue was reported on OneFileCMS. Unlike many other security issues, it is very much easy to fix this type of security issues. The web developer just has to terminate further execution of the script immediately after the user is redirected.

 

 

 

Abhi M Balakrishnan is an Electronics hobbyist turned Hacktivist, Working as Information Security Consultant to put food on his table and roof over his head and has Performed several security consulting assignments in the area of penetration testing, code reviews, web application assessments, security architecture reviews etc.

Leave a Reply