Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training
Can't find what you are looking for?

Let us help.

Contact us
Resources
SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

CISO Network

Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations
Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk with an expert
Talk with an expert

Top 25 Series - Rank 23 - Open Redirect

Authored byJason Lam
Jason Lam

Open redirect (CWE-601) allows phishing attack to be more effective. Redirection is commonly used within all web applications for various purposes. From the login page, it is a common practice to redirect the user to another page once the user logs in. Sometimes the user goes directly to a content page and is redirected to a login page, in order to bounce the user back to the right content page, a redirection link is sometimes used.

Internal URL redirection is sometimes used throughout the site to get the user to the right place on the site. For example, the user can type in the name of the file in a field, and the web script can direct the user to a download page such as http://www.sans.org/download?=http://sans.org/files/[userinput] 

Search engines are commonly used as open redirects, simply because search engines wants to keep track of where the user went, so the user clicks on a link within the search results and is then redirected to the site they want to visit. Google had been such an open redirect in the early days.

The problem with the redirect is 

http://www.sans.org/redirect?=http://phishingevilsite

This URL may look like it is pointing user to sans.org but in fact it is redirecting the user to phishingevilsite. This allows the phishing list to be more real looking.

For mitigation, if a link redirection is necessary, put in a hash to the URL querystring. The hash should be based on a secret key and the URL itself. Before redirection, validate the hash to make sure the redirection is legitimate.

The redirection can then happen on the HTTP header. Before sending out the final redirection header, check to make sure the referer tag is from an internal source, not somewhere else on the Internet or blank. Robots.txt can be used to exclude the redirect script from being indexed by the search engine. This attracts less attention to the redirection scripts.

If at all possible, avoid using full URL redirection, allowing only part of the path to be controlled by the user can cut down on some risks. To be more secure against open redirect, use a number or character substitute for the URL if possible.

Meet the expert

Jason Lam
Jason Lam

Jason Lam

Principal Instructor

Jason is a leading consultant sought after by Global 500 companies across finance, healthcare, and technology sectors worldwide. Over the years, he has led intrusion detection, penetration testing, defense improvement programs, and incident response.

Read more about Jason Lam
AppSec Street Fighter - SANS Institute | Top 25 Series - Rank 23 - Open Redirect | SANS Institute