Java - URL Redirection

Running the app on Docker
$ sudo docker pull blabla1337/owasp-skf-lab:java-url-redirection
$ sudo docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:java-url-redirection
Now that the app is running let's go hacking!
Reconnaissance
Step 1
The application shows that there is a new version of the website available somewhere, and a click on the button "Go to new website" will redirect you to it.
If we click on the button we will be redirected on the new page http://localhost:5000/newsite​
Step 2
Intercepting the traffic generated by the application, we note that the redirection is performed using the following call
GET /redirect?newurl=newsite
That will generate a 302 Redirect response from the server.
Inspecting the source code, it's possible to see no input validation of newurl query string parameter is in place.
public String redirect(@RequestParam(name="newurl", required=true) String newurl, Model model) {
		return "redirect:"+newurl;
	}
Exploitation
The exploitation is pretty straightforward. Replay the redirection request, but at this time change the value of newurl into another URL.
Original request
http://0.0.0.0:5000/redirect?newurl=newsite
Modified request
http://0.0.0.0:5000/redirect?newurl=https://www.google.com
Using the payload above we will be able to successfully redirect a user to any website:
Additional sources
​https://www.owasp.org/index.php/Testing_for_Client_Side_URL_Redirect_(OTG-CLIENT-004)​

NodeJS - URL Redirection

URL Redirection - Harder

Last modified 8mo ago