Open redirect flaws have been around for quite a while. But with social engineering being such an effective tactic, threat actors are now combining their technical knowledge with psychological manipulation to make open redirects even more dangerous. This article describes the use of open redirect flaws as a phishing tactic and offers some tips to protect your employees and your business against it.
An open redirect flaw exists when two conditions are met:
Because of this lack of validation, threat actors can manipulate URL parameters to redirect users to malicious sites.
Many web applications/websites can redirect the user to different parts of the app or even to different apps/sites altogether by passing the destination URL as a parameter. Consider the following link:
A user clicking the above hypothetical link gets redirected to the homepage of examplesite.com. However, if examplesite.com doesn’t validate or restrict the values of the URL parameter, an attacker could replace the destination URL with a malicious web page under their control, such as:
Open redirect flaws aren’t automatically dangerous. In the hands of a threat actor adept at social engineering, though, these flaws are particularly damaging. The damage occurs when an adversary crafts a convincing phishing attack that persuades the recipient into visiting this malicious URL. Users are often completely unaware that they’re being redirected to a potentially harmful site since the initial part of the URL appears legitimate.
A variety of methods help hackers discover websites or applications that have open redirect flaws among the over 1.1 billion websites on the internet.
By knowing how attackers search for vulnerabilities, developers and security professionals can better secure their web applications and monitor for potential attack attempts. Regular penetration testing, vulnerability assessments and software updates are some of the best practices to prevent these flaws in a website or app.
Open redirect flaws work so well as a phishing tactic because they ruthlessly exploit trust. The initial part of the link originates from a trusted source, which makes people inclined to trust the entire URL without a hint of suspicion, even if it redirects them to a malicious site.
Complicating matters is the ability to further disguise malicious URLs using link shorteners. Open redirect flaws also facilitate phishing by bypassing some basic security controls. Some security solutions may allow trusted domains, but an open redirect can get around these security checks by originating from a safelisted domain.
Identifying Phishing Attacks That Exploit Open Redirects
Given the ability of open redirect flaws to piggyback off trust in certain domains, identifying them is something that requires specific user training. To ensure your team can spot phishing attacks that exploit open redirects, here are some tips:
Aside from these tips to improve employee awareness, your business should also implement safeguards. Multi-factor authentication for important apps and services provides an extra layer of defense against phishing emails that target login credentials. Email security software with link-scanning capabilities backed by AI can also help identify and block emails that exploit open redirect flaws.
Website admins or web app security teams can mitigate these flaws by never using input from the user to determine the redirection target. Instead, rather than passing URLs as the redirection target, pass a short code that you map server-side to a full URL. If a web app must redirect, maintain a safelist of authorized URLs to which redirects are allowed and reject any URL not on the safelist.
Cyber adversaries boost their chances of successful attacks by using industry-specific insights. Social engineering attacks that use open redirect flaws can become even more dangerous in the hands of threat groups who tailor their attacks to specific industries.
That’s where Nuspire’s threat modeling comes in to help you better understand the latest tactics and techniques adversaries are using in your industry. Not only do you get high-quality threat intel, but we go one step further with recommendations to improve or develop a more effective security program.