[go: nahoru, domu]
Wikipedia

URL redirection: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Scribbie (talk | contribs)
191 edits
Reverted 1 edit by 103.158.159.222 (talk)
Line 296:
 
==Security issues==
 
URL redirection can be abused by attackers for [[phishing]] attacks, such as [[Open Redirect|open redirect]] and [[Covert Redirect|covert redirect]]. "An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation."<ref name="Open_Redirect" /> "Covert redirect is an application that takes a parameter and redirects a user to the parameter value WITHOUT SUFFICIENT validation."<ref name="Covert_Redirect" /> It was disclosed in May 2014 by a mathematical doctoral student Wang Jing from Nanyang Technological University, Singapore.<ref name="CNET" />
=== Open redirects ===
URL redirection can be abused by attackers to perform [[phishing]] attacks. If a redirect target is not sufficiently validated by an web application, an attacker can make a web application redirect to a arbitrary website. This vulnerability is know as an open-redirect vulnerability.<ref name=":0">{{Cite journal |last=Innocenti |first=Tommaso |last2=Golinelli |first2=Matteo |last3=Onarlioglu |first3=Kaan |last4=Mirheidari |first4=Ali |last5=Crispo |first5=Bruno |last6=Kirda |first6=Engin |date=2023-12-04 |title=OAuth 2.0 Redirect URI Validation Falls Short, Literally |url=https://dl.acm.org/doi/10.1145/3627106.3627140 |journal=Proceedings of the 39th Annual Computer Security Applications Conference |series=ACSAC '23 |location=New York, NY, USA |publisher=Association for Computing Machinery |pages=256–267 |doi=10.1145/3627106.3627140 |isbn=979-8-4007-0886-2}}</ref> In certain cases when a open redirect occurs as part of a [[authentication]] flow, the vulnerability is known as a covert redirect. When a covert redirect occur, the attacker website can steal [[Authentication cookie|authentication information]] from the victim website.<ref name=":0" /> Open redirect vulnerabilities are fairly common on the web. In June 2022, TechRadar found over 25 active examples of open redirect vulnerabilities on the web, including sites like [[Google]] and [[Instagram]].<ref>{{Cite web |last=published |first=Mike Williams |date=2022-06-05 |title=What is an Open Redirect vulnerability, why is it dangerous and how can you stay safe? |url=https://www.techradar.com/features/what-is-open-redirect-vulnerability |access-date=2024-04-08 |website=TechRadar |language=en}}</ref> Open redirects have their own CWE identifier, CWE-601.<ref>{{Cite web |title=CWE - CWE-601: URL Redirection to Untrusted Site ('Open Redirect') (4.14) |url=https://cwe.mitre.org/data/definitions/601.html |access-date=2024-04-08 |website=cwe.mitre.org}}</ref>
 
==See also==
Retrieved from "https://en.wikipedia.org/wiki/URL_redirection"