Return to training

Open Url Redirects Shared by @zseano - Updated on 28/09/2018


Open url redirects are simply urls like https://www.example.com/?go=https://www.google.com/, which when visited will go from example.com -> google.com. Generally they are classed as low impact, but can we get account takeover with one?

Update: Since writing this Facebook and other major Oauth services made changes to not allow for *.theirsite.com/*. This attack may still work if they have custom oauth in place or if they still configure it incorrect. I recommend checking out this great post by @arneswinnen for a great proof of concept on AirBnB.


So let's begin on actually finding an open url redirect and common places to look. Let's see what google knows first by using site:example.com inurl:redirect. We can play with that more by using more common words for redirecting such as, inurl:go, inurl:return, inurl:returnTo, inurl:goto, inurl:returnurl etc etc.

None found? Ok no problem, let's start using their site and look at common places. From my experience common pages are: login, register, logout, change site language, links in emails.

By this time we would of found atleast one open url redirect, and if not, get back to hunting! ;) Now we've got our bug, should we report it or try do something with it? From my experience I will always look further, and I highly suggest you do too! Here are some common things to do with an open url redirect:

Grab tokens via mis-configured Oauth
Facebook do a good job at trying to protect a users' access_token by having features such as the appsecret_proof, but sadly they are let down by people NOT using the features available to them. In walks the hacker. Facebook oauth system is simple: supply it with a client_id and a white listed redirect_uri to obtain the token.

An example: https://www.facebook.com/dialog/oauth?client_id=388795771235143&response_type=token&redirect_uri=https://www.cbssports.com/&scope=email

Note: Either use &response_type=code or response_type=token to achieve different results.

Now let's imagine we have an open url redirect on zseano.cbssports.com. If we input &redirect_uri=https://zseano.cbssports.com/ and it accepts it - BINGO. If not, don't worry, test something like https://www.cbssports.com/test/. If it still does not allow it, they're secure. If it does allow it, the scope can only be http://www.cbssports.com/*.

Now here comes a cool trick with facebooks oauth system. If you supply facebook with &redirect_uri=https://zseano.cbssports.com/?goto=https://www.google.com/ then it won't follow the redirect to your site (where you steal their oauth token).

The trick? URL ENCODE. That's right, if we give facebook &redirect_uri=https%3A%2F%2Fzseano.cbssports.com%2F%3Fgoto%3Dhttps%3A%2F%2Fwww.google.com%2F then it will follow the redirect to your site and you can harvest their fb oauth token. :)

What can a FB oauth token do? Lots according to facebook. We can query for their email, post to their wall (if right permissions are given), and tons more. Is our open url redirect starting to mean something because we can harvest their users emails if they visit our site?

Account takeover with Facebook access_tokens

It doesn't stop at just querying for their facebook information. Get your mobile phone and see if this site has a mobile app. 9 times out of 10 they will have a "Login with Facebook" button and from my experience when logging in (and registering!) via their FB app they will do the following:

- Grab my facebook access_token
- Send it to their server and exchange for a bearer token
- Use this token in all calls (basically my session)

So are you following me here? The apps i've tested essentially allow me to redirect a user to the facebook oauth dialog screen, redirect to my site and hijack his token, then query the actual sites mobile api system in exchange for a token to.. you guessed it, the victims account.

Other common areas to look at are account settings for "connecting" a facebook account.



So, we just turned a "harmless" open url redirect into access to the victims account. Of course all cases of open url redirect are different, but this is a key place I always look (and usually succeed!).

New Information

After revisiting this post I noticed that Facebook and other major oauth services have tightened up their redirect_uri policy, which i'm extremely happy to see finally. There is still the possibility that the redirect_uri will be mis-configured or they use a custom oauth, so don't rule out open url redirects being 'low impact' straight away! My advice still stands to look at mobile apps!:)