Application Security IT Security Websites

Open Redirects and Web Security

Redirects are HTTP response codes that send a user to a different URL than the one that was requested. Redirects can be used for many practical purposes and for normal operations, such as implementing a change in the structure of a website, passing a user to a different site, or for serving the same content under multiple URLs. If redirects are not implemented properly, they may lead to open redirects. An open redirect arises when an application allows cyberattackers to pass information to the application that results in users being sent to other locations. Those locations may be websites or servers controlled by cyberattackers where they can distribute malware, trick users into clicking on trusted links, execute malicious code, or perform SEO manipulation. When an open redirect is used in a phishing attack, the victim receives an email that appears legitimate and includes a link that points to a domain that is correct and expected. In the middle of the URL, there will be parameters that manipulate and change where the link with take them.

To check your site for open redirects:

  • Search your site in Google to see if anything unfamiliar shows up in the search results
  • Look for strange queries
  • Check your server logs or web analytics package for unfamiliar URL parameters
  • Take note of user complaints about your content or malware

In order to prevent open redirects on your website1:

Change the redirect code to check the referrer. Most of the traffic coming from your redirect script should be coming from your site, and not a search engine or elsewhere.

Disallow off-site redirects. If your script should only ever send users to an internal page or file (for example, on a page with file downloads), you should specifically disallow off-site redirects.

Consider using a whitelist of safe destinations. Your code would keep a record of all outgoing links, and then check to make sure the redirect is a legitimate destination before forwarding the user on.

Consider signing your redirects. If your website must provide redirects, you can properly hash the destination URL and then include that cryptographic signature as another parameter when doing the redirect. This will allow your own site to do URL redirection without opening your URL redirector to the general public.

Disable or remove redirect. If your site is not using it, disable or remove the redirect.

Robots.txt. Use robots.txt to exclude search engines from the redirect scripts on your site. If your redirect scripts reside in a subfolder with other scripts that don’t need to appear in search results, excluding the entire subfolder may even make it harder for cyberattackers to find redirect scripts.

1 Google Search Central Blog, 2009, “Open redirect URLs: Is your site being abused?”