Open redirect (CWE-601) allows phishing attack to be more effective. Redirection is commonly used within all web applications for various purposes. From the login page, it is a common practice to redirect the user to another page once the user logs in. Sometimes the user goes directly to a content page and is redirected to a login page, in order to bounce the user back to the right content page, a redirection link is sometimes used.
Internal URL redirection is sometimes used throughout the site to get the user to the right place on the site. For example, the user can type in the name of the file in a field, and the web script can direct the user to a download page such as http://www.sans.org/download?=http://sans.org/files/[userinput]
Search engines are commonly used as open redirects, simply because search engines wants to keep track of where the user went, so the user clicks on a link within the search results and is then redirected to the site they want to visit. Google had been such an open redirect in the early days.
The problem with the redirect is
http://www.sans.org/redirect?=http://phishingevilsite
This URL may look like it is pointing user to sans.org but in fact it is redirecting the user to phishingevilsite. This allows the phishing list to be more real looking.
For mitigation, if a link redirection is necessary, put in a hash to the URL querystring. The hash should be based on a secret key and the URL itself. Before redirection, validate the hash to make sure the redirection is legitimate.
The redirection can then happen on the HTTP header. Before sending out the final redirection header, check to make sure the referer tag is from an internal source, not somewhere else on the Internet or blank. Robots.txt can be used to exclude the redirect script from being indexed by the search engine. This attracts less attention to the redirection scripts.
If at all possible, avoid using full URL redirection, allowing only part of the path to be controlled by the user can cut down on some risks. To be more secure against open redirect, use a number or character substitute for the URL if possible.
