URL Redirection Attack With Examples

A URL Redirection is to bring the browser from one URL to another URL. For example, if a link at

http://www.example.com/login.php?redirect=
http://www.example.com/home.php

brings you to

http://www.example.com/home.php

This is a URL Redirection.

A URL Redirection Attack is a kind of vulnerability that redirects you to another page freely out of the original website when accessed, usually integrated with a phishing attack.

http://www.example.com/login.php?redirect=
http://www.examp1e.com/home.php

and on clicking it will bring you to

http://www.examp1e.com/home.php

This page could lead to a malicious page that resembles the original, and tries to trick the user into giving their credentials. Notice the “l” and “1”, which can catch some unwary users off-guard. This is a URL redirection attack.

Examples

– Yahoo!

This is a Yahoo! ad link I randomly picked to wherever at the Yahoo! main page :

http://us.ard.yahoo.com/SIG=152qjujd5/M=635447.12008473.12439042.9413843/
D=yahoo_top/S=2716149:MKP1/_ylt=Aq5b314JJAcHbNKRSsc_Nc71cSkA;
_ylg=X3oDMTA1NnVjODhvBGNjA2pw/Y=YAHOO/
EXP=1214212570/L=tPTX3ES00lum1O1VR5SP5Mdozy5cEEhfTboADWZ_/
B=0nxmEEWTWU0-/J=1214205370890230/
A=4758808/R=0/SIG=13r3d7ici/*

http://autos.yahoo.com/newcars/buy.html
;
_ylc=X3oDMTFjMXJjcHYxBF9TAzI3MTYxNDkEc2VjA2Zw
LW1hcmtldHBsYWNlBHNsawNnYXEtdGV4dC0x

Try change the red part as shown :

http://us.ard.yahoo.com/SIG=152qjujd5/M=635447.12008473.12439042.9413843/
D=yahoo_top/S=2716149:MKP1/_ylt=Aq5b314JJAcHbNKRSsc_Nc71cSkA;
_ylg=X3oDMTA1NnVjODhvBGNjA2pw/Y=YAHOO/
EXP=1214212570/L=tPTX3ES00lum1O1VR5SP5Mdozy5cEEhfTboADWZ_/
B=0nxmEEWTWU0-/J=1214205370890230/
A=4758808/R=0/SIG=13r3d7ici/

*http://1089059683/#http://autos.yahoo.com/newcars/buy.html
;
_ylc=X3oDMTFjMXJjcHYxBF9TAzI3MTYxNDkEc2VjA2
ZwLW1hcmtldHBsYWNlBHNsawNnYXEtdGV4dC0x

It will effectively brings you to Google main page. You might argue it is already suspicious for anyone to click that link, despite the authentic domain : http://us.ard.yahoo.com/ .

– Baidu

One more example, a very well-known search engine in China, Baidu. On its main page, it has a “Set as homepage” function :

http://utility.baidu.com/traf/click.php?id=215&url=http://www.baidu.com

which redirects you to its main page after clicking it.

Now, change the red part into below :

http://utility.baidu.com/traf/click.php?id=215&url=https://log0.wordpress.com

This will bring you back here! ( Oh I’m sorry =) )

Just imagine if this happens to some other larger site, it can be used to phish users personal information or redirect to malicious sites exploiting browser vulnerabilities infecting them.

Prevention

If you search for “Log0” in Yahoo!, you will find me in rank 3 ( as of now ). Yahoo! redirects you to me through this :

http://rds.yahoo.com/_ylt=A0oGkmQGTV9IAQUBC0hXNyoA;
_ylu=X3oDMTEyMWJuc2o5BHNlYwNzcg
Rwb3MDMwRjb2xvA3NrMQR2dGlkA0gxMzlfNzI-/
SIG=11eshlhg8/EXP=1214291590/**
http%3a//log0.wordpress.com/

Long link, notice https://log0.wordpress.com at the end. Now let’s change that link into http://www.google.com :

http://rds.yahoo.com/_ylt=A0oGkmQGTV9IAQUBC0hXNyoA;
_ylu=X3oDMTEyMWJuc2o5BHNlYwNzcg
Rwb3MDMwRjb2xvA3NrMQR2dGlkA0gxMzlfNzI-/
SIG=11eshlhg8/EXP=1214291590/**
http%3a//www.google.com/

This will bring you to a 403 Forbidden in Yahoo! and warns you of the destination. In this case, Yahoo! checked the link if it matches that in database. That is a protection. Basically, it verifies whether or not the redirected destination is its original intent.

By now I hope you are familiar with what URL Redirection Attack is, and should have an idea how to prevent it.

Please do not use this for malicious purpose, I show these examples only for educational purposes. I have notified the above domain masters of the problems above.

UPDATED :

I forgot to explain how the Google link went into it. That is URL obfuscation. More at here.

http://1089059683/ is actually the IP of a google web server.

http://64.233.187.99/ = http://www.google.com
64 * 256 + 233 = * 256 + 187 = * 256 + 99 = http://1089059683/

Advertisements

6 Responses to “URL Redirection Attack With Examples”


  1. 1 Josh January 11, 2009 at 3:06 pm

    First of all congratulation for such a great site. I learned a lot reading here today. I will make sure i visit this site more often so I can learn more.

    Make your long Urls shorter – Free Url redirection – Hide your affilate URLS

  2. 2 KD May 13, 2011 at 8:37 am

    I like it. Thanks!

  3. 3 sean July 18, 2011 at 3:47 pm

    Can you help me, please?

    I’m in China right now visiting family, and I was happily using my Tumblr when suddenly:

    http://nfdnserror1.wo.com.cn:8080/?HOST=www.tumblr.com&R=/&

    This URL starts to plague my existence. Now, when I try to access Tumblr, I get redirected to Baidu. Could you help me? In simple terms, preferably, as I’m rather computer illiterate.

    Thanks!

  4. 4 click May 26, 2012 at 3:04 pm

    I have got 1 recommendation for your website. It seems like right now there are a couple of cascading stylesheet troubles when opening a selection of web pages within google chrome and opera. It is functioning okay in internet explorer. Probably you can double check that.

  5. 5 drdoomslair July 5, 2012 at 3:58 pm

    Nice article but I don’t understand one thing:
    You usually say, “change this part with this part” but how can you change it?

    For example lets assume I am an attacker and I try to redirect the user to a phising site instead of the normal baidu home page. I must have access to the baidu source page so that my changes will persist and be able to achieve malicious redirects right?

    What is the standard practice for this?


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s





%d bloggers like this: