This is English version of my Attacks via closed redirectors article.
In my article Redirectors: the phantom menace I wrote about attacks with using of open redirectors. Besides using of open redirectors for various attacks, closed redirectors also can be used.
Open redirectors - are redirectors which set address for redirection in URL (http://site/redirector.php?url=http://site2). Closed redirectors don’t set address for redirection in URL and have necessary addresses in DB, from which they take them by id (http://site/closed_redirector.php?id=1).
Closed redirectors considered more secure in comparison with open ones, but, as it’s clear from my article, they also can be used for many attacks (when there is possibility to set in them necessary URLs, or if they already were set). To closed redirectors belong as redirection services (such as TinyURL and others), as different counters, ratings and banner systems, where necessary URL is set in DB and is accessible by id. I.e. if you have access, for example, to banner system at the site, and can set arbitrary value of URL for banner (to which user will go at click on it), then you can conduct various attacks.
I meet many times in Internet cases of using of closed redirectors for different attacks. And also used them by myself during finding of vulnerabilities at the sites (for bypassing of filters and WAF). And I wrote about some of these attacks at my site.
Attacks via closed redirectors.
There are possible next attacks via closed redirectors:
- Bypass of spam-filters.
- Bypass of flash restrictions.
- XSS attack via jar: URI in Firefox.
- CSRF attacks on a site.
- Hidden attacks on other sites.
- Image leakage in Firefox.
- Denial of Service attacks.
- Cross-Site Scripting attacks.
- Bypass of protection filters.
If there were 12 attacks via open redirectors, then there are possible 10 attacks via closed redirectors (one new attack from them). You can read in detail about these attacks in my article.
In case of such attacks as Redirection, Bypass of spam-filters, Bypass of flash restrictions, XSS attack via jar: URI in Firefox, CSRF attacks on a site, Hidden attacks on other sites, Image leakage in Firefox, the attack itself occurs almost equally for open and closed redirectors. In case of Denial of Service attacks it’s necessarily needed to use of closed redirector, i.e. there are possible two variants of an attack: using of open and closed redirector, using of two closed redirectors.
In case of Cross-Site Scripting attacks there are such attacks, which are possible with closed redirectors, particularly at redirection services such as TinyURL. These are attacks #3 and #5, which are described in my article Cross-Site Scripting attacks via redirectors. And I’ll tell more in detail about tenth attack.
Bypass of protection filters.
Redirection services (which are closed redirectors) allow to create new addresses for already existent addresses of the sites. Which allows to use them for bypass of the filters (including WAF) at the sites. It can be used in case of need to place a link or at conducting of XSS attacks. You can read in detail about this attack in my article Using of redirection services for bypass of the filters.