Burp Suite - Explain DOM-based open redirection
New here? Learn about Bountify and follow @bountify to get notified of new bounties! x

Burp flags the following JavaScript as possibly vulnerable to DOM-based open redirection. I'm looking for an explanation as to how this could possibly be exploited.

Here's a screenshot of the lines that Burp highlighted:
http://i.imgur.com/OowhptJ.png


if (setRequestHeaderMethodExists) {
    xmlRequest.onreadystatechange = WebForm_CallbackComplete;
    callback.xmlRequest = xmlRequest;
    // e.g. http:
    var action = theForm.action || document.location.pathname, fragmentIndex = action.indexOf('#');
    if (fragmentIndex !== -1) {
        action = action.substr(0, fragmentIndex);
    }
    if (!__nonMSDOMBrowser) {
        var queryIndex = action.indexOf('?');
        if (queryIndex !== -1) {
            var path = action.substr(0, queryIndex);
            if (path.indexOf("%") === -1) {
                action = encodeURI(path) + action.substr(queryIndex);
            }
        }
        else if (action.indexOf("%") === -1) {
            action = encodeURI(action);
        }
    }
    xmlRequest.open("POST", action, true);
    xmlRequest.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=utf-8");
    xmlRequest.send(postData);
    return;
}
awarded to dekkard

Crowdsource coding tasks.

1 Solution

Winning solution

From https://www.owasp.org/index.php/Open_redirect :

An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.

Consequences: Phishing 

Basically it's complaining that it might be possible to craft a malicious URL that a user will be redirected to,
because this code doesn't check the parameters passed in after ? when it assembles the URL here:

action = encodeURI(path) + action.substr(queryIndex); // action.substr(queryIndex) is placed as is

Here are examples from OWAS of what an exploit might look like:

http://www.vulnerable.com?redirect=http://www.attacker.com

The phishing use can be more complex, using complex encoding:

Real redirect: http://www.vulnerable.com/redirect.asp?=http://www.links.com

Faked link: http://www.vulnerable.com/security/advisory/23423487829/../../../redirect.asp%3F%3Dhttp%3A//www.facked.com/advisory/system_failure/password_recovery_system 
Note that as with all static analysis this might only show a potential vulnerability. Eventually it depends on your use case, and your app does not necessarily have to be vulnerable.
dekkard over 3 years ago