February 2, 2009

Secure Redirects

Recently, SANS (a security certification organization) posted an article related to the exploit of the redirect system on Google. The exploit was used to hide URLs in spam e-mails. The article had a lot of detail on the attack, but didn't give much information about how to defend against this type of attack. Since redirect scripts are fairly common as they allow webmasters to track traffic on outbound links, I wanted to post some defensive information.

The Problem

You have paid advertising, or other types of outbound links on your web site, and to track the outgoing traffic you have installed a redirect page. The redirect page invisibly redirects users to the final destination after logging information about the redirect.

The Exploit

To exploit a redirect, you simply need to have a URL that you need to get past a filter, and a redirect that meets the requirements of the filter. For example, lets say you want to post a link to your web site in a forum that does not allow links to outside web sites. The forum does, however, allow internal links, such as those to other posts on the forum.
The first step is to find a redirector on the domain. So if you are posting on blog.com, you would browse through blog.com, looking at the various outgoing links until you find one that goes to a url like blog.com/redirect.php?url=www.somesite.com. This is the redirector. To exploit the redirect, you would replace the ad URL with your own URL - ie blog.com/redirect.php?url=myurl.com.

The Defense

There are a few defenses, but most of them have drawbacks. For example, you could set up the redirect script to only allow the redirect if the user came from another page on the current site. Unfortunately, many anti-spyware programs hide the referring page and would cause legitimate traffic from following the link.
Another option would be to use cookies. However, the same software may disable tracking cookies.
Possibly the most effective method would be to use a code based on the user's IP address. If you are using your redirects to track ads, and the ad code is dynamically generated you could add an extra parameter that contains the sum of the four segments of the user's IP address as a check. If the check is not there, or if it fails, the user would be taken to an error message instead of being redirected. An attacker creating a static link would be unable to create a working exploit because the URL changes for every visitor.

No comments: