Home > bonsai, security > Google Open Redirection Vulnerability

Google Open Redirection Vulnerability

October 5th, 2010

A month ago, we found an Open Redirection vulnerability in Google, the vulnerability was already fixed by the vendor and we were thinking about how we could add value to the disclosure of this vulnerability. After some thinking, we thought that showing how we found the vulnerability was more interesting than the vulnerability itself, so… here we go:

After identifying Twitter’s Open Redirection Vulnerability , we thought it would be cool to find one at Google. Given that “google.com” is huge, we used Google’s search engine and some dorks to narrow down our tests. Interestingly enough, that worked perfectly and we were able to identify vulnerabilities in the first 10 minutes of testing! The following screenshot (just click on the image to enlarge it) illustrates this step:

Google Dork used to find the vulnerability
In this link we found that by browsing:

http://www.google.com/bookmarks/url?url=http://www.bonsai-sec.com

The affected user was redirected to http://www.bonsai-sec.com without any warning, allowing possible phishing attacks. The following screenshots show the complete HTTP traffic:

Burp HTTP Traffic Capture I

And the answer from the server with a new location:

Burp HTTP Traffic Capture II

Doing some other deeper tests and by using Dirbuster, we discovered that other instances/directories were also affected:

http://www.google.com/psearch/url?url=http://www.bonsai-sec.com

http://www.google.com/searchhistory/url?url=http://www.bonsai-sec.com

http://www.google.com/history/url?url=http://www.bonsai-sec.com

New vectors to exploit this kind of vulnerabilities are being discussed in Web security forums, depending on the browser, it might be possible to execute javascript code on the remote browser, thus changing the real risk associated to this type of vulnerabilities.

nahuel bonsai, security , , , ,

  1. No comments yet.
  1. No trackbacks yet.