About me

Usability group, Migration subsystem, Security team

Follow along

• https://slides.benjifisher.info/ (GitLab Pages)

Open Redirect: what is it?

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

– CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)

Example: NSFW

• https://www.harvard.edu?destination=https://biggerpackage4u.ru
• redirects to
• https://biggerpackage4u.ru.

User follows link to a harvard.edu web site and finds a silly joke. (Still there on the Wayback Machine)

Example: Phishing

• https://www.harvard.edu?destination=https://login.harvard-edu.ru
• redirects to
• https://login.harvard-edu.ru.

User follows link to a harvard.edu web site and reaches a page that tries to steal login credentials.

Spot the error

/**
 * Checks whether a URL is a valid redirect.
 *
 * This is a helper function for mymodule_check_user().
 *
 * @param string $url
 *   The URL for a requested redirect.
 *
 * @return bool
 *   TRUE if the redirect should be allowed, FALSE if not.
 */
function _mymodule_redirect_allowed($url) {
  // Allow internal redirects.
  if (!url_is_external($url)) {
    return TRUE;
  }

  // Do not redirect to an invalid URL.
  if (filter_var($url, FILTER_VALIDATE_URL, FILTER_FLAG_PATH_REQUIRED)) {
    return FALSE;
  }

  $host = parse_url($url, PHP_URL_HOST);
  if (empty($host)) {
    return FALSE;
  }

  // Allow any subdomain of harvard.edu.
  if (preg_match('/\.harvard\.edu$/', $host)) {
    return TRUE;
  }

  // Allow any domain ...
  static $allowed_domains = [
    'allowed-1.com',
    // ...
    'allowed-24.org',
  ];
  if (in_array($host, $allowed_domains)) {
    return TRUE;
  }

  // Also allow the www. subdomain of any such domain.
  list($subdomain, $parent) = explode('.', $host, 2) + ['', ''];
  return $subdomain === 'www' && in_array($parent, $allowed_domains);
}

Did you spot the error?

Congrats, you are an awesome code reviewer!

Was it easy to spot?

Simple, well-commented code is

• Easier to review
• Easier to debug
• Easier to test
• Easier to maintain
• More secure

Think about code review.

1. What is the code supposed to do?
2. What does the code actually do?
3. Is it
   • secure?
   • performant?
   • maintainable?

If the first two questions use up your time/energy/focus, then you cannot do a good job on the third.

Bonus

• Based on that code, someone edited the Akamai config.
• In less than half a day, the open redirect was blocked.
• Teamwork FTW!
• Clean code FTW!

References

• Benji’s slide decks: https://slides.benjifisher.info/
• CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’): https://cwe.mitre.org/data/definitions/601.html
• Unvalidated Redirects and Forwards Cheat Sheet https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html

Copyleft

This slide deck by Benji Fisher is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Based on a work at https://gitlab.com/benjifisher/slide-decks.