URL jump vulnerability

URL Jump Vulnerability （URL Redirection vulnerability ）, Jump vulnerability is generally used for phishing attacks .

https://link.zhihu.com/?target=https://edu.lagou.com/

principle ：
        URL Jump vulnerabilities are essentially exploits Web Business with redirection function in application , Redirect users from one website to another . The simplest way to use it is to induce users to visit http://www.aaa.com?returnUrl=http://www.evil.com, With the help of www.aaa.com Let users access www.evil.com, This vulnerability is exploited, which is a loss to users and the company .

1、 Use scenarios

（1） The login function has always been URL Jump to the hardest hit area of the vulnerability , Users visit a business on the website , When it comes to account role permissions, you must jump to the login interface , In order to ensure that the user experience authentication is completed, it is necessary to automatically return to the page the user browsed before . This time, it happened URL Hidden danger of jump vulnerability .

         for instance , For example, the user is visiting http://www.aaa.com/detail?sku=123456 The goods , Trigger login operation when adding shopping cart , Jump to the unified login authentication page to log in , At this time, the access link is http://login.aaa.com?returnUrl=http://www.aaa.com/detail?sku=123456, After the authentication is successful, the browser continues to return to the product details page to facilitate the user to purchase . if login.aaa.com Yes returnUrl The parameter check is not strict or even not checked , You can jump to any website through this link .

         After login 302 Jump to Baidu home page , here returnUrl No inspection was carried out , You can jump to the third-party page at will . Same as login function , The exit function of the website also exists URL Jump the risk of vulnerability . Other similar jump functions include jump after SMS verification code authentication 、 Jump after sharing or collecting 、 Jump after authorizing the third party , Their common feature is to enter another page for some operation from one page , After the operation, return to the original page to continue browsing . In some multi-step operations , Click the next button to pass fromUrl Parameters , This parameter will become a hyperlink to return to the previous step , As shown below ： 

         Even in some businesses callback Parameters also exist URL Jump Vulnerability . Common parameter values are return、redirect、url、jump、goto、target、link etc. , In the process of digging holes at ordinary times, you might as well pay attention to whether the request contains relatively complete URL Address , Test these parameters . 

（2） If lagou.com One of the following web This vulnerability exists in the application , A malicious attacker can send a message to the user lagou.com Link to , But after the user opens , But came to the phishing website page , It will cause users to be attacked by phishing , Account stolen , Or the property related to the account is stolen .

（3） The scenario where the vulnerability occurs ：

1. The user login 、 Unified identity authentication office , After certification, it will jump
2. User sharing 、 After the collection , Can jump
3. Cross site authentication 、 After authorization , Can jump
4. When you click on other website links , Can jump
5. After the business is completed, jump to
   • For example, change the password , After the modification, go to the landing page , Bind bank card , After binding successfully, return to the bank card recharge and other pages
   • Such as evaluation system , Complete the questionnaire 、 Jump to the page after customer service evaluation and other business operations

（4） The reason for the vulnerability ：

• When writing code, I didn't consider any URL Jump Vulnerability , Or not at all / I don't think this is a loophole ;
• Thoughtless when writing code , Use substring 、 Take suffixes and other methods to simply judge , Code logic can be bypassed ;
• Do some wonderful operations on the incoming parameters ( Domain name cut / Splicing / restructuring ) And judgment , Run counter to one's desire , Be bypassed ;
• The parsing of the original language URL、 Determine whether the function library of the domain name has a logical vulnerability or unexpected features , Can be bypassed ;
• The original language 、 The server / Container characteristics 、 Browser and other standards URL The protocol parsing process is so different that it is bypassed .

（5） Common parameter names

• redirect
• redirect_to
• redirect_url
• url
• jump
• jump_to
• target
• to
• link
• linkto
• domain

2、URL Jump vulnerability mining

Later, assume that the source domain name is ：www.abc.com The domain to jump to is ：www.evil.com ( go fishing )

（1） No inspection , Direct jump

// To obtain parameters 
String url = request.getParameter("returnUrl");
// Redirect 
response.sendRedirect(url);

（2） Domain name string detection spoofing , The code is not perfect , Vulnerability

// To obtain parameters 
String url = request.getParameter("returnUrl");
// Determine whether the domain name is included 
if (url.indexOf("www.abc.com ") !=-1){
    response.sendRedirect(url);
}

http://www.abc.com?returnUrl=http://www.abc.com.evil.com
http://www.abc.com?returnUrl=http://www.evil.com/www.abc.com

（3）bypass The way

http://www.aaa.com?returnUrl=http://www.aaa.com.evil.com
http://www.aaa.com?returnUrl=http://www.evil.com/www.aaa.com

If you cooperate again URL Various characteristic symbols of , There are many ways to bypass . such as

Use question marks ?：
http://www.aaa.com?returnUrl=http://www.evil.com?www.aaa.com
Use backslashes ：
http://www.aaa.com?returnUrl=http://www.evil.comwww.aaa.com
http://www.aaa.com?returnUrl=http://www.evil.com\www.aaa.com
utilize @ Symbol ：
http://www.aaa.com?returnUrl=http://[email protected]
Use the well number #：

http://www.aaa.com?returnUrl=http://www.evil.com#www.aaa.com
http://www.aaa.com?returnUrl=http://www.evil.com#www.aaa.com?www.
aaa.com

Missing agreement ：
http://www.aaa.com?returnUrl=/www.evil.com
http://www.aaa.com?returnUrl=//www.evil.com
Multiple jumps , namely aaa Companies trust ccc company ,ccc The company also has loopholes or provides jump Services :
http://www.aaa.com?returnUrl=http://www.ccc.com?jumpto=http://www.evil.com

3、 Protection plan

Limit referer、 add to token, This can prevent malicious users from constructing jump links and spreading them everywhere , The most fundamental way to fix this vulnerability is to strictly check the jump domain name .

1. Code fixed jump address , Don't let users control variables
2. The jump target address adopts the white list mapping mechanism such as 1 representative edu.lagou.com,2 representative job.lagou.com, Other log records
3. Reasonable and sufficient verification mechanism , Verify the destination address of the jump , Inform the user of the jump risk when it is not your own address