WebApp Sec mailing list archives

usabilty vs sescurity - return urls by parameter

From: "MC Iglo" <mc.iglo () googlemail com>
Date: Tue, 15 Jul 2008 12:09:19 +0200

Hi all,

lately, I see more and more pages using get-parameters to store a
return url after login.
two famous examples are ebay and google.

of course, this is nice for the user to get back to where he came from
before logging in.
but on the other hand side, i think thats an extremly high risk!

in most cases, the URL is something like
http://gooddomain.tld/login.php?arg1=bla&arg2=blaaaaaaa&arg3=%22alb%22&return=http%3A%2F%2Fgooddomain.tld%2Fadmin&morearg=morebla

As you can see at the upper example, it is not very clear, what URL the
user will be redirected to.
Now lets obfuscate it a little bit more and replace the return path and you get
http://gooddomain.tld/login.php?arg1=bla&arg2=blaaaaaaa&arg3=%22alb%22&return=%68%74%74%70%3a%2f%2f%62%75%67%67%65%6c%7a%2e%66%75%6e%70%69%63%2e%64%65%2f%67%70%6f%74%61%74%6f%2e%68%74%6d%6c&morearg=morebla

(The decoded string is an example form - I notified them seperatley before)

let's send this link to someone interested in their products or put it
on a website/forum as a reply to a question. Even careful people might
be tricked to click on this link and log in because they see
'http://gooddomain.tld/...&apos;. and that IS the site, they want to go
to.
after they logged in successfully, the website redirects them to my
malicious site, which says, the login was incorrect. of course, the
user will not be distrustful beause he was sent to this 'view' by
gooddomain.tld (he
won't check the address bar for sure) and type in his data again to be
sure, he made no typos and i store this data on my server
i have successfully stolen his data and redirect him to the normal portal.
he won't even notice it and thinks he made a typo at first try.

in my opinion, this is extremely critical
but hey... who cares? it's web 2.0...

Regards
MC.Iglo

-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be
considered a crucial phase in the development of any web application. What methodology should be followed? What tools
can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

Current thread:

usabilty vs sescurity - return urls by parameter MC Iglo (Jul 15)
- Re: usabilty vs sescurity - return urls by parameter Gleb Paharenko (Jul 16)