Open Redirect Flaws as a Phishing Tactic
Open redirect flaws have been around for quite a while. But with social engineering being such an effective tactic, threat actors are now combining their technical knowledge with psychological manipulation to make open redirects even more dangerous. This article describes the use of open redirect flaws as a phishing tactic and offers some tips to protect your employees and your business against it.
What is an Open Redirect Flaw?
An open redirect flaw exists when two conditions are met:
- A web application uses parameter values in the URL to redirect the user to another website.
- The web app doesn’t validate or restrict these parameters to a specific set of known good values.
Because of this lack of validation, threat actors can manipulate URL parameters to redirect users to malicious sites.
Many web applications/websites can redirect the user to different parts of the app or even to different apps/sites altogether by passing the destination URL as a parameter. Consider the following link:
https://examplesite.com/redirect.jsp?url=https://examplesite.com/home
A user clicking the above hypothetical link gets redirected to the homepage of examplesite.com. However, if examplesite.com doesn’t validate or restrict the values of the URL parameter, an attacker could replace the destination URL with a malicious web page under their control, such as:
https://examplesite.com/redirect.jsp?url=https://malwaredownloader.com
Open redirect flaws aren’t automatically dangerous. In the hands of a threat actor adept at social engineering, though, these flaws are particularly damaging. The damage occurs when an adversary crafts a convincing phishing attack that persuades the recipient into visiting this malicious URL. Users are often completely unaware that they’re being redirected to a potentially harmful site since the initial part of the URL appears legitimate.
How Threat Actors Find Open Redirect Flaws
A variety of methods help hackers discover websites or applications that have open redirect flaws among the over 1.1 billion websites on the internet.
- Automated scanning: Several tools can be configured to scan websites for vulnerabilities, including open redirect flaws. These tools can quickly and efficiently identify potential targets by sending specific payloads to web applications and observing the responses. Examples include OWASP ZAP, Burp Suite and Acunetix.
- Manual analysis: Skilled attackers often manually inspect websites and web applications and search for specific URL parameters that hint at redirection functionality, such as redirect=, url= or next=.
- Google dorking: Google search can be a useful tool for attackers. Using specific search queries called “Google dorks,” they can find URLs that may be susceptible to open redirect flaws. For example, inurl: “redirect?url=” site:examplesite.com might reveal potentially vulnerable redirect parameters on the examplesite.com domain.
- Traffic interception: By using tools like Wireshark or MITM proxies, attackers can intercept web traffic (especially on open Wi-Fi networks) to identify and analyze redirection mechanisms in real time.
By knowing how attackers search for vulnerabilities, developers and security professionals can better secure their web applications and monitor for potential attack attempts. Regular penetration testing, vulnerability assessments and software updates are some of the best practices to prevent these flaws in a website or app.
How Do Open Redirects Facilitate Phishing Attacks?
Open redirect flaws work so well as a phishing tactic because they ruthlessly exploit trust. The initial part of the link originates from a trusted source, which makes people inclined to trust the entire URL without a hint of suspicion, even if it redirects them to a malicious site.
Complicating matters is the ability to further disguise malicious URLs using link shorteners. Open redirect flaws also facilitate phishing by bypassing some basic security controls. Some security solutions may allow trusted domains, but an open redirect can get around these security checks by originating from a safelisted domain.
Identifying Phishing Attacks That Exploit Open Redirects
Given the ability of open redirect flaws to piggyback off trust in certain domains, identifying them is something that requires specific user training. To ensure your team can spot phishing attacks that exploit open redirects, here are some tips:
- Inspect the URLs in emails carefully and look for misspellings or subtle changes in domain names. Examine URL parameters that suggest redirection, like ?redirect=, ?url= or ?next=, and pay careful attention to the URL that comes after these redirect parameters.
- For sites that employees visit regularly (like frequently used company apps, services or email), instruct them to use bookmarks. Accessing sites directly via bookmarks reduces the chance of visiting a phishing link.
- Warn staff to be vigilant when they see URL-shortened links in emails. Tools like Bitly or TinyURL often mask malicious URLs. It’s worth pointing to the value of using URL expanders or preview services to see the full URL before clicking.
- If anyone receives an unexpected link or request that urges immediate action, verifying its legitimacy is pivotal. Calling the company or individual directly using a phone number known to be correct (not one provided in the suspicious message) is a prudent move that takes time but may save you from a breach.
Aside from these tips to improve employee awareness, your business should also implement safeguards. Multi-factor authentication for important apps and services provides an extra layer of defense against phishing emails that target login credentials. Email security software with link-scanning capabilities backed by AI can also help identify and block emails that exploit open redirect flaws.
Website admins or web app security teams can mitigate these flaws by never using input from the user to determine the redirection target. Instead, rather than passing URLs as the redirection target, pass a short code that you map server-side to a full URL. If a web app must redirect, maintain a safelist of authorized URLs to which redirects are allowed and reject any URL not on the safelist.
Understand Industry-Specific Threats
Cyber adversaries boost their chances of successful attacks by using industry-specific insights. Social engineering attacks that use open redirect flaws can become even more dangerous in the hands of threat groups who tailor their attacks to specific industries.
That’s where Nuspire’s threat modeling comes in to help you better understand the latest tactics and techniques adversaries are using in your industry. Not only do you get high-quality threat intel, but we go one step further with recommendations to improve or develop a more effective security program.
