Python - URL Redirection

Running the app on Docker

$ docker pull blabla1337/owasp-skf-lab:url-redirection

$ docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:url-redirection

Now that the app is running let's go hacking!

Reconnaissance

Step 1

The application shows that there is a new version of the website available somewhere, and a click on the button "Go to new website" will redirect you to it.

If we click on the button we will be redirected on the new page http://localhost:5000/newsite

Step 2

Intercepting the traffic generated by the application, we note that the redirection is performed using the following call

GET /redirect?newurl=newsite

That will generate a 302 Redirect response from the server.

Inspecting the source code, it's possible to see no input validation of newurl query string parameter is in place.

def redirector():
    landing_page = request.args.get('newurl')
    return redirect(landing_page, 302)

Exploitation

The exploitation is pretty straightforward. Replay the redirection request, but at this time change the value of newurl into another URL.

Original request

http://0.0.0.0:5000/redirect?newurl=newsite

Modified request

http://0.0.0.0:5000/redirect?newurl=https://www.google.com

Using the payload above we will be able to successfully redirect a user to any website:

Additional sources

https://www.owasp.org/index.php/Testing_for_Client_Side_URL_Redirect_(OTG-CLIENT-004)

PreviousURL Redirection NextNodeJS - URL Redirection

Last updated 2 years ago

Was this helpful?

hashtagRunning the app on Docker

hashtagReconnaissance

hashtagStep 1

hashtagStep 2

hashtagExploitation

hashtagAdditional sources

Running the app on Docker

Reconnaissance

Step 1

Step 2

Exploitation

Additional sources