The Problem
You have paid advertising, or other types of outbound links on your web site, and to track the outgoing traffic you have installed a redirect page. The redirect page invisibly redirects users to the final destination after logging information about the redirect.The Exploit
To exploit a redirect, you simply need to have a URL that you need to get past a filter, and a redirect that meets the requirements of the filter. For example, lets say you want to post a link to your web site in a forum that does not allow links to outside web sites. The forum does, however, allow internal links, such as those to other posts on the forum.The first step is to find a redirector on the domain. So if you are posting on blog.com, you would browse through blog.com, looking at the various outgoing links until you find one that goes to a url like blog.com/redirect.php?url=www.somesite.com. This is the redirector. To exploit the redirect, you would replace the ad URL with your own URL - ie blog.com/redirect.php?url=myurl.com.
The Defense
There are a few defenses, but most of them have drawbacks. For example, you could set up the redirect script to only allow the redirect if the user came from another page on the current site. Unfortunately, many anti-spyware programs hide the referring page and would cause legitimate traffic from following the link.Another option would be to use cookies. However, the same software may disable tracking cookies.
Possibly the most effective method would be to use a code based on the user's IP address. If you are using your redirects to track ads, and the ad code is dynamically generated you could add an extra parameter that contains the sum of the four segments of the user's IP address as a check. If the check is not there, or if it fails, the user would be taken to an error message instead of being redirected. An attacker creating a static link would be unable to create a working exploit because the URL changes for every visitor.
Posts
No comments:
Post a Comment