The right-wing government of Israel’s Prime Minister, Benjamin Netanyahu, has taken a tough stance against international and Palestinian NGOs as well as UN agencies, some of which have operated in the region for decades, citing security reasons. It has also passed legislation banning the UN agency for Palestinian refugees, Unrwa, from operating in Israel, impacting its work in the West Bank and Gaza.
In 2010, OWASP added “Unvalidated Redirects and Forwards” to its Top 10 list and merged it into “Sensitive Data Exposure” in 2013 [owasp1] [owasp2]. Open redirects are often overlooked, and their impact is not always well understood. At first, it does not look like a big deal. The user is receiving a 3xx status code and is being redirected to another URL. That target URL should handle all authentication and access control, regardless of where the data originated.
Historically, one of the main concerns was phishing. A user clicks on a link to a trusted URL, and is immediately redirected to a malicious phishing URL. The issue becomes trickier if trusted data sent via the URL is now forwarded to an untrusted destination with minimal user interaction. The vulnerability has become more important with the ubiquitous use of OAUTH. OAUTH relies on “redirect URLs” to pass an authorization token from the authorization server to the client. Best practice requires allowlisting specific URL patterns for the redirect URL, but an open redirect within the allow-listed URL range may be used to subvert the token.
Interestingly, recently our honeypots detected an increase in scans for various redirect-related URLs. For example:
/continue?url=http://testdomain.com
/redirect?url=http://testdomain.com
/away?url=http://testdomain.com
/goto?url=http://testdomain.com
/jump?url=http://testdomain.com
and others.
The graph shows the increase of redirect-related requests for February (only some of the URLs are captured in the graph).
Most of the requests currently originate from a single IP address, 89.248.168.239, registered to AS202425, IP Volume, a company registered in the Seychelles. IP Volume is often called a “bulletproof” hoster, preferred by various actors for their relaxed abuse policy. Not just because of these latest scans, a block of AS202425 may still be advisable [nytimes].
[[owasp1] https://github.com/OWASP/Top10/blob/master/2010/OWASP%20Top%2010%20-%202010%20English.pdf
[owasp2] https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
[nytimes] https://www.nytimes.com/interactive/2019/12/22/us/child-sex-abuse-websites-shut-down.html
—
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
Ex-CNN anchor Don Lemon was one of the original nine defendants arrested last month
Source link