I was surfing through my friend’s forum Secworm.net and read this thread about Redirection Vulnerabilities. So I thought of sharing it with you guys.
Phishing is usually considered to be most effective when it’s combined with social engineering, the hacker term for human manipulation. One way phishing can be combined with social engineering is through the exploitation of redirect vulnerabilities. This article will demonstrate to you what redirect vulnerabilities are, how to spot them, and how they can be exploited.
So first things first. What is a redirect vulnerability? A redirect vulnerability is when a webpage uses a script to redirect you to somewhere (usually another page on the website), but they write that script in such a way that it allows a hacker to manipulate it to send you to an external page instead of an internal one. There are many types of redirect vulnerabilities, but we’ll be looking at the most basic type here for now. Example: let’s say we’re logging in to webpage that has this url:
Code:http://www.example.com/login.php?dest=members/index.html
Let’s have a look at the url. It’s all looking pretty ordinary up to login.php, but look one step after that. See the dest=members/index.html? members/index.html is the path to the index page for logged in members, so you can determine that dest=members/index.html is a parameter that is being used by the login.php script to redirect users to the member index page after a successful login. Now if the creator of the login.php script was very security conscious, they’d make sure that the dest field could never point to a url that’s not an approved destination. However, if he didn’t know about redirect vulnerabilities, he would just write the script so that it would redirect the user to whatever address dest pointed to. In order to find which one we’re dealing with for this website, we can change the dest parameter and see how the script responds. For instance:
Code:http://www.example.com/login.php?dest=http://www.google.com
If this page is vulnerable to redirect vulnerabilities, this it should send us to google after we log in. If not, it will generate some sort of error condition and take you to a default page. So if we change the address as specified above, log in, and find ourselves looking at google instead of example.com, then we know it’s vulnerable to redirect vulnerabilities.
Now that you know what redirect vulnerabilities are, can you see how they can be applied to phishing? Let me create a scenario to give you an idea of how redirect vulnerabilities can be used to increase the effectiveness of phishing. Imagine yourself to be a student at a university. You have a school website with the address http://www.myschool.com, and you log in to all your school services (such as mail, course info, etc) through the url
Code:www.sys.myschool.com/login.php?service=
where the service parameter points to the address of the service being accessed, as demonstrated in the following urls:
Code:http://www.portal.myschool.com/login.php?service=sys/mail.php
orhttp://www.portal.myschool.com/login.php?service=sys/courseInfo.php
Phishers have been targeting students of your school lately, so your system administrators have sent everyone an email telling them to check the url of every webpage they log into with their school account to make sure it’s an actual school page and not a phishing page. A hacker is aware of this, and realizing that this advice will give the you and the other students a false sense of security when you’re on pages that are actual school pages, set out looking for a way to get students to access his phishing page from within the school login system itself. He sees the above urls and recognizes their potential to be vulnerable to redirect exploitation and creates a phishing page that looks exactly like your school’s page that is displayed to you when your login fails. Being a phishing page, it sends him all the login credentials of everyone who logs in through it. Once he knows that the login script is indeed vulnerable, he creates a link to his phishing page from the school login page, hoping that students will log in to the school through his link, get redirected to his fake page, enter their information again without realizing that they left the school page, and then become redirected back to their school page without even noticing that anything out of the ordinary had happened. He starts out with a link like this:
Code:http://www.portal.myschool.com/login.php?service=http://badsite.com/fakePage.php
However, he realizes that some of the more observant students might see the external address in the url and be too wary to enter their information, so he changes his url into its hexidecimal representation, either by memory or using a tool like this one: http://secworm.net/showthread.php?tid=3, and achieves an ordinary-looking url like this one:
Code:http://www.portal.myschool.com/login.php?service=%68%74%74%70%3a%2f%2f%62%61%64%73%69%74%65%2e%63%6f%6d%2f%66%61%6b%6 ?5%50%61%67%65%2e%70%68%70
This url gives no indication that it actually redirects students to the hacker’s phishing page, and since you see your school’s domain in the beginning, you and the students think nothing of it. The hacker then sends this link along with an email making the reader want to log in to the student database and steals all their passwords.
Hopefully this will help you understand the basics of redirect vulnerabilities and how they can be used to increase the effectiveness of phishing.
Via. www.Secworm.net