Re: Potential XSS errors when using information from HTTP requests

["Jeff Williams" <jeff.williams () aspectsecurity com>]

Wide open redirectors should be avoided. We see these frequently in
applications that redirect to error pages, login pages, and other parts of
the application.

An attacker can use these to redirect a user's browser to anywhere without
validation.  So they're just asking to be abused by pfishers.  Gives the
pfisher a bit of credibility since the real application did the redirecting.

If you're redirecting, make sure you 1) validate the targets carefully, and
2) remember that the redirect goes through the user's browser and can be
changed. Don't trust anything from an HTTP request, even if it came from a
redirect.

--Jeff

Jeff Williams
Aspect Security, Inc.
http://www.aspectsecurity.com

----- Original Message ----- 
From: "V.Benjamin Livshits" <livshits () cs stanford edu>
To: <webappsec () securityfocus com>
Sent: Saturday, October 16, 2004 5:27 PM
Subject: Potential XSS errors when using information from HTTP requests


> I've been seeing a lot of redirects like the ones below in J2EE
> programs.
>
> 1. response.sendRedirect(request.getParameter("REFERRER"));
>
> 2. response.sendRedirect(request.getRequestURI());
>
> 3. response.sendRedirect(request.getServletPath() + toPath);
>
> Since the URL the user is being redirected to comes from the HTTP
> header, I was wondering if forging parts of the header may lead to a
> cross-site scripting exploit of some sort. Clearly, it would be
> dangerous to use this data as part of SQL statements. However, I have
> trouble imagining XSS exploit scenarios.
>
> Thanks,
>
> -Ben