Open Redirect Vulnerabilities Facilitate Malicious Cyber Activity

Updated: Jul 18, 2019

The NTIC Cyber Center assesses with high confidence that open redirect vulnerabilities in misconfigured web applications will continue to be an attractive attack vector for cyber threat actors seeking to distribute malware, promote websites containing inappropriate or malicious content, and direct unsuspecting victims to phishing pages designed to steal login credentials and other sensitive information.

Open redirect vulnerabilities, also known as unvalidated redirects and forwards, are weaknesses in web application security configurations that permit information appended to the end of a Uniform Resource Locator (URL), or web address, to redirect a visitor to other websites. Though open redirect vulnerabilities have been a known security weakness since at least 2007 — identified in the Common Weakness Enumeration system as CWE-601 — they remain a persistent threat to end users who visit websites containing misconfigured open redirect protocols. Despite the availability of information about this weakness, many organizations neglect to remedy misconfigured open redirect protocols and continue to host websites that are

vulnerable to exploitation. Additionally, the availability, accessibility, and proliferation of new suites of penetration testing tools allow cyber threat actors to scale efforts to locate and exploit websites containing this weakness.

Not all redirect protocols are malicious or risky. Redirect protocols that are properly configured enable web administrators or developers to automatically deliver visitors to other websites. For example, when a visitor mistypes or accesses an outdated version of a URL, a properly configured redirect protocol ensures the visitor arrives at the intended or most current version of a web page.

However, misconfigured redirect protocols that allow for open and unverified redirection create a vulnerability that cyber threat actors can exploit to conduct malicious activities. Cyber threat actors can use open redirect protocols, in conjunction with various social engineering techniques, to trick web users into following URLs that appear trustworthy. They may also use open redirect vulnerabilities to redirect users to websites hosting explicit or adult content. Open redirect vulnerabilities ultimately place people who visit misconfigured websites at risk of cyber threats including phishing, data theft, and malware infections.

Recent Open Redirection Vulnerability Incidents

  • In June 2019, a technology news source indicated that numerous misconfigured websites of federal and state government agencies were redirecting visitors to sites hosting adult content, online scams, and phony advertisements.

  • In May 2019, the NTIC Cyber Center discovered cyber threat actors abusing open redirect vulnerabilities on websites of several local government agencies and organizations.

  • In May 2019, security researchers reported that cyber threat actors abused an open redirect vulnerability in a URL contained within a spoofed delivery notification email to trick recipients into navigating to a website delivering the Trickbot banking Trojan.

  • In April 2019, a security research company identified US government websites containing open redirect vulnerabilities that were forwarding visitors to websites hosting adult content.

  • In May 2018, a security research company reported that cyber threat actors abused an open redirect vulnerability within Google Maps to send unsuspecting visitors to a Russian URL hosting malicious content.

  • In April 2018, a technology news source reported that unknown cyber threat actors were abusing an open redirect vulnerability within an official Department of Justice web page to forward visitors to websites hosting adult content. Researchers believe that automated software programs were used to locate vulnerable websites, modify their web addresses, and forward visitors to external websites in an attempt to increase ad revenue, boost visibility, and co-opt higher search result rankings.

  • In September 2017, a security research company reported that cyber threat actors abused an open redirect vulnerability in Google’s App-engine website to redirect Office 365 email users to a website delivering JavaScript malware.

  • In March 2016, cyber threat actors abused an open redirect vulnerability in a WordPress web application plugin on a small business website to redirect customers to websites hosting adult content.

How Open Redirect Vulnerability Attacks Work

  1. Cyber threat actors may use automated software programs to locate websites configured with open redirect vulnerabilities. These programs crawl indexed URLs for inclusion of a web application parameter that may be indicative of open redirect functionality, such as: ?url=http://targetURL ?redirectUrl=http://targetURL ?next=$2f%2ftargetURL ?view=//targetURL /login?to=/targetURL Cyber threat actors may also use advanced Google queries, sometimes called “dorks,” to identify websites configured with open redirect vulnerabilities. Sample search queries may include: inurl:parameter site:targetURL inurl:url=http site:targetURL inurl:redirectUrl=http site:targetURL

  2. After identifying a website containing an open redirect vulnerability, a cyber threat actor appends the URL of a malicious website to the end of the vulnerable URL. The resulting aggregate may appear similar to the following example: http[:]//example[.]com/example.php?url= The cyber threat actor may also choose to obfuscate the malicious URL, making its addition to a legitimate URL difficult for a visitor to discern.

  3. The cyber threat actor disseminates the new link comprised of both the original URL and the malicious redirection URL to victims in an email message, text message, social media post, or other messaging platform. The link appears legitimate since the primary domain name in the modified URL remains unaltered.

  4. When a recipient clicks on the link, the URL automatically redirects to the cyber threat actor’s malicious destination. The redirection may occur immediately, after a brief pause, or following a pop-up message warning users that they will be exiting the legitimate site and forwarded to the new destination.

  5. Using a variety of social engineering methods, cyber threat actors may trick trusting visitors into downloading malware or surrendering credentials or personal information on phishing sites.

Recommendations to Mitigate the Risks of Open Redirect Vulnerabilities

The NTIC Cyber Center strongly recommends that all organizations implement a robust and layered security strategy to identify and manage risks posed by open redirect vulnerabilities. Website administrators are encouraged to review the following list of recommendations to help minimize the abuse of redirection protocols.

  • Configure web applications to avoid using URL redirections or forwards.

  • If open redirect functionality cannot be avoided, configure web applications to allow only whitelisted URLs to be valid destinations of redirect requests.

  • Configure valid redirect requests to prompt a disclaimer page notifying users they will be exiting the organization’s site before forwarding to the redirect destination, and force users to click a prompt to confirm the redirect request.

  • Configure application firewalls to detect and report attacks against open redirect vulnerabilities.

  • Administrators using ASP. NET MVC 1.0 and 2.0 applications can add code to protect against open redirect attacks by referencing Microsoft instructions.

The NTIC is governed by a privacy, civil rights, and civil liberties protection policy to promote conduct that complies with applicable federal, state, and local laws. The NTIC does not seek or retain any information about individuals or organizations solely on the basis of their religious, political or social views or activities; their participation in a particular noncriminal organization or lawful event; or their race, ethnicities, citizenships, places of origin, ages, disabilities, genders, or sexual orientations. No information is gathered or collected by the NTIC in violation of federal or state laws or regulations.