Archive

Posts Tagged ‘open redirection’

Google Open Redirection Vulnerability

October 5th, 2010

A month ago, we found an Open Redirection vulnerability in Google, the vulnerability was already fixed by the vendor and we were thinking about how we could add value to the disclosure of this vulnerability. After some thinking, we thought that showing how we found the vulnerability was more interesting than the vulnerability itself, so… here we go:

After identifying Twitter’s Open Redirection Vulnerability , we thought it would be cool to find one at Google. Given that “google.com” is huge, we used Google’s search engine and some dorks to narrow down our tests. Interestingly enough, that worked perfectly and we were able to identify vulnerabilities in the first 10 minutes of testing! The following screenshot (just click on the image to enlarge it) illustrates this step:

Google Dork used to find the vulnerability
In this link we found that by browsing:

http://www.google.com/bookmarks/url?url=http://www.bonsai-sec.com

The affected user was redirected to http://www.bonsai-sec.com without any warning, allowing possible phishing attacks. The following screenshots show the complete HTTP traffic:

Burp HTTP Traffic Capture I

And the answer from the server with a new location:

Burp HTTP Traffic Capture II

Doing some other deeper tests and by using Dirbuster, we discovered that other instances/directories were also affected:

http://www.google.com/psearch/url?url=http://www.bonsai-sec.com

http://www.google.com/searchhistory/url?url=http://www.bonsai-sec.com

http://www.google.com/history/url?url=http://www.bonsai-sec.com

New vectors to exploit this kind of vulnerabilities are being discussed in Web security forums, depending on the browser, it might be possible to execute javascript code on the remote browser, thus changing the real risk associated to this type of vulnerabilities.

nahuel bonsai, security , , , ,

Twitter Open Redirection Vulnerability

August 3rd, 2010

Twitter LogoRecently, we’ve found an Open Redirection vulnerability in Twitter. To understand a little more about this, we can cite OWASP’s definition:

“An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.”

The following Proof of Concept was sent to the Twitter security team:

https://twitter.com/login?redirect_after_login=http://www.bonsai-sec.com

After a successful login, the affected user is redirected to http://www.bonsai-sec.com without any warning allowing possible phishing attacks.

This vulnerability was patched by Twitter security team last week (after we reported it and got almost no answer from them).

Detailed information can be found at: http://www.bonsai-sec.com/en/research/vulnerabilities/twitter-open-redirect-0108.php

nahuel bonsai, security , , , , ,