URL Redirection Attack With Examples

A URL Redirection is to bring the browser from one URL to another URL. For example, if a link at

http://www.example.com/login.php?redirect=
http://www.example.com/home.php

brings you to

http://www.example.com/home.php

This is a URL Redirection.

A URL Redirection Attack is a kind of vulnerability that redirects you to another page freely out of the original website when accessed, usually integrated with a phishing attack.

http://www.example.com/login.php?redirect=
http://www.examp1e.com/home.php

and on clicking it will bring you to

http://www.examp1e.com/home.php

This page could lead to a malicious page that resembles the original, and tries to trick the user into giving their credentials. Notice the “l” and “1″, which can catch some unwary users off-guard. This is a URL redirection attack.

—

Examples

- Yahoo!

This is a Yahoo! ad link I randomly picked to wherever at the Yahoo! main page :

http://us.ard.yahoo.com/SIG=152qjujd5/M=635447.12008473.12439042.9413843/
D=yahoo_top/S=2716149:MKP1/_ylt=Aq5b314JJAcHbNKRSsc_Nc71cSkA;
_ylg=X3oDMTA1NnVjODhvBGNjA2pw/Y=YAHOO/
EXP=1214212570/L=tPTX3ES00lum1O1VR5SP5Mdozy5cEEhfTboADWZ_/
B=0nxmEEWTWU0-/J=1214205370890230/
A=4758808/R=0/SIG=13r3d7ici/*
http://autos.yahoo.com/newcars/buy.html;
_ylc=X3oDMTFjMXJjcHYxBF9TAzI3MTYxNDkEc2VjA2Zw
LW1hcmtldHBsYWNlBHNsawNnYXEtdGV4dC0x

Try change the red part as shown :

http://us.ard.yahoo.com/SIG=152qjujd5/M=635447.12008473.12439042.9413843/
D=yahoo_top/S=2716149:MKP1/_ylt=Aq5b314JJAcHbNKRSsc_Nc71cSkA;
_ylg=X3oDMTA1NnVjODhvBGNjA2pw/Y=YAHOO/
EXP=1214212570/L=tPTX3ES00lum1O1VR5SP5Mdozy5cEEhfTboADWZ_/
B=0nxmEEWTWU0-/J=1214205370890230/
A=4758808/R=0/SIG=13r3d7ici/
*http://1089059683/#http://autos.yahoo.com/newcars/buy.html;
_ylc=X3oDMTFjMXJjcHYxBF9TAzI3MTYxNDkEc2VjA2
ZwLW1hcmtldHBsYWNlBHNsawNnYXEtdGV4dC0x

It will effectively brings you to Google main page. You might argue it is already suspicious for anyone to click that link, despite the authentic domain : http://us.ard.yahoo.com/ .

- Baidu

One more example, a very well-known search engine in China, Baidu. On its main page, it has a “Set as homepage” function :

http://utility.baidu.com/traf/click.php?id=215&url=http://www.baidu.com

which redirects you to its main page after clicking it.

Now, change the red part into below :

http://utility.baidu.com/traf/click.php?id=215&url=http://log0.wordpress.com

This will bring you back here! ( Oh I’m sorry =) )

Just imagine if this happens to some other larger site, it can be used to phish users personal information or redirect to malicious sites exploiting browser vulnerabilities infecting them.

Prevention

If you search for “Log0” in Yahoo!, you will find me in rank 3 ( as of now ). Yahoo! redirects you to me through this :

http://rds.yahoo.com/_ylt=A0oGkmQGTV9IAQUBC0hXNyoA;
_ylu=X3oDMTEyMWJuc2o5BHNlYwNzcg
Rwb3MDMwRjb2xvA3NrMQR2dGlkA0gxMzlfNzI-/
SIG=11eshlhg8/EXP=1214291590/**http%3a//log0.wordpress.com/

Long link, notice http://log0.wordpress.com at the end. Now let’s change that link into www.google.com :

http://rds.yahoo.com/_ylt=A0oGkmQGTV9IAQUBC0hXNyoA;
_ylu=X3oDMTEyMWJuc2o5BHNlYwNzcg
Rwb3MDMwRjb2xvA3NrMQR2dGlkA0gxMzlfNzI-/
SIG=11eshlhg8/EXP=1214291590/**http%3a//www.google.com/

This will bring you to a 403 Forbidden in Yahoo! and warns you of the destination. In this case, Yahoo! checked the link if it matches that in database. That is a protection. Basically, it verifies whether or not the redirected destination is its original intent.

By now I hope you are familiar with what URL Redirection Attack is, and should have an idea how to prevent it.

Please do not use this for malicious purpose, I show these examples only for educational purposes. I have notified the above domain masters of the problems above.

UPDATED :

I forgot to explain how the Google link went into it. That is URL obfuscation. More at here.

http://1089059683/ is actually the IP of a google web server.

http://64.233.187.99/ = http://www.google.com
64 * 256 + 233 = * 256 + 187 = * 256 + 99 = http://1089059683/