Redirectors: the phantom menace
22:47 12.09.2009This is English version of my Redirectors: the phantom menace article.
There is such security problem in Internet as redirectors. Already at beginning of January 2008 I planned to write the article about different variants of attacks with using of redirectors. And now I present for you the article “Redirectors: the phantom menace”. It’s anthology of attacks with using of redirectors.
Attacks via redirectors.
Besides redirection to malicious and phishing sites, redirectors can be used for other attacks. Here is a list of all attacks via redirectors which I know:
- Redirection.
- HTTP Response Splitting and XSS (via HTTP Response Splitting) attacks.
- Full path disclosure attacks.
- Bypass of spam-filters.
- Bypass of flash restrictions.
- XSS attack via jar: URI in Firefox.
- Attack on Google Toolbar.
- CSRF attacks on a site.
- Hidden attacks on other sites.
- Image leakage in Firefox.
- Denial of Service attacks.
- Cross-Site Scripting attacks.
Redirection.
Standard attack with using of redirectors - it’s redirection to other sites for the purpose of infecting with viruses, conducting of phishing attacks, or just entice to the site of advertiser.
For these purposes numerous redirectors in Internet can be used, particularly in search engines (which I wrote about in MOSEB project), at popular sites (and other sites), in CMS and other web applications.
HTTP Response Splitting and XSS (via HTTP Response Splitting) attacks.
There can be HTTP Response Splitting vulnerabilities in web applications redirectors. Which can be used for conducting of HTTP Response Splitting and XSS (via HTTP Response Splitting) attacks. The protection from these attacks was made in last 4.x versions and 5.x versions of PHP. But PHP is using not at all sites, and there are not always last versions where it’s using, besides after fixing of this hole, developers of PHP added Full path disclosure hole.
Full path disclosure attacks.
If using at the site of last 4.x versions or 5.x versions of PHP, there is Full path disclosure vulnerability in PHP-redirectors.
Set “%0A1″ as URL of the site for this redirector and you’ll get the message “Warning: Header may not contain more than a single header, new line detected.” together with full path at the site.
http://site/redirector.php?url=%0A1
Bypass of spam-filters.
Redirectors can be used for bypass of spam-filters in e-mail. When spam-filters is set on appropriate URL of sites, then using of redirectors allows to bypass it. If filter is looking not on full URL, but on entering of string in site’s address, then it can be bypassed with help of redirection services (such as TinyURL and others).
Bypass of flash restrictions.
Bypass of flash restrictions on crossdomain access is possible via substitution of crossdomain policies (crossdomain.xml) with using of redirectors (which Stefan Esser wrote about). It can be used for conducting of Cross-Site Request Forgery attacks. These attacks (crossdomain) are possible in old versions of flash plugin.
XSS attack via jar: URI in Firefox.
In Mozilla Firefox the Cross-Site Scripting attacks are possible via jar: URI. Petko D. Petkov aka PDP found this vulnerability, and Beford found, that in Firefox it’s possible to use it together with redirectors for conducting of XSS attacks via jar: URI, without need to upload files on these sites. Vulnerability was fixed in Firefox 2.0.0.10 and SeaMonkey 1.1.7.
Attack on Google Toolbar.
As showed Aviv Raff, who found this vulnerability, in Google Toolbar it’s possible to spoof content of dialog window at adding of the button (with using of redirector). Vulnerable to Google Toolbar Dialog Spoofing Vulnerability are Google Toolbar 5 beta and previous versions.
CSRF attacks on a site.
Redirectors can be used for the purpose of conducting of CSRF attacks, when it’s needed to bypass checking of the referrer (as protection against CSRF), in order to make referrer from the same site.
Hidden attacks on other sites.
Redirectors can be used for conducting of attacks (particularly CSRF attacks) on other sites, for the purpose of hiding real attacking site, so as to mention quite another site in the logs.
Image leakage in Firefox.
Using of getImageData() together with redirection it’s possible to get cross-site access to images. Chris Evans found this vulnerability in Firefox. It was fixed in Firefox 2.0.0.18.
Denial of Service attacks.
Redirectors can be used for conducting of DoS attacks. There are possible two variants: redirector looped on itself (Looped DoS) and redirector looped on redirector (looped redirection attack).
About first variant of attack I wrote concerning vulnerabilities in Power Phlogger (and also I found these vulnerabilities on different sites), and about second variant of attack I wrote in detail in my articles Redirectors’ hell and Hellfire for redirectors.
Cross-Site Scripting attacks.
It’s possible to conduct XSS attacks via redirectors. For these purposes as refresh-header, as location-header redirectors can be used. Which I wrote about in detail in article Cross-Site Scripting attacks via redirectors.
There are next vulnerable browsers: Mozilla 1.7.x, Mozilla Firefox 3.0.x and 3.5.x (and Firefox 3.6 Alpha and 3.7 Alpha), Internet Explorer 6, Opera 9.x and 10.x, Google Chrome 1.x, 2.x and 3.x, QtWeb 3.0, Safari 4.0.x, SeaMonkey 1.1.x, Orca Browser 1.2 and Maxthon 3 Alpha (and in most cases previous versions of all mentioned browsers).
Conclusions.
Redirectors represent a danger to security of users of Internet. So owners of web sites, which have redirectors (open) on them, and also developers of browsers (when attack occurs because of a problem in browser), must not allow such vulnerabilities, and hard fixing already existent ones.
Вівторок, 20:07 19.01.2010
Also redirectors can be used for conducting of XSS attacks via PDF files, which I wrote about in post Script Injection in Adobe Acrobat.
Вівторок, 01:53 18.05.2010
Also redirectors can be used for conducting of DoS attacks on browsers via redirection to mailto: URL, which I wrote about in post DoS in Firefox, Internet Explorer, Chrome, Opera and other browsers.
Неділя, 18:50 27.06.2010
Also redirectors can be used for bypassing of restrictions on URL at HTML Injection attacks, particularly Link Injection. As in case of vulnerability at news.yahoo.com.
In contrast to bypass of protection filters at using of closed redirectors (attack #10), in this case not external redirector is using, but internal one (at this site, or at the site from allowed list).
Середа, 20:15 22.06.2011
Also redirectors can be used for memory corruption in the browser, which can lead to DoS and code execution. As in case of Microsoft Internet Explorer.