Back

Open Redirect

๐Ÿ” Introduction

Open Redirect๋Š” ์›น ์„œ๋น„์Šค์—์„œ ์‚ฌ์šฉ์ž์˜ ์ž…๋ ฅ์„ ๊ธฐ๋ฐ˜์œผ๋กœ redirect ํ•˜๋Š” ๊ธฐ๋Šฅ์„ ์ด์šฉํ•˜์—ฌ ๊ณต๊ฒฉ์ž๊ฐ€ ์˜๋„ํ•œ ๋„๋ฉ”์ธ์œผ๋กœ ์‚ฌ์šฉ์ž๋ฅผ ์ด๋™์‹œํ‚ค๋Š” ๊ณต๊ฒฉ ๋ฐฉ๋ฒ•์„ ์˜๋ฏธํ•ฉ๋‹ˆ๋‹ค.

๋ณดํ†ต์˜ ์‚ฌ๋žŒ๋“ค์€ ์›น ์„œ๋น„์Šค์˜ URL์„ ๋ณผ ๋–„ ๋„๋ฉ”์ธ์„ ์‹ ๋ขฐํ•˜๊ธฐ ๋•Œ๋ฌธ์— ํ•ด๋‹น ๋„๋ฉ”์ธ์˜ ๋งํฌ๋ฅผ ์‹ ๋ขฐํ•˜๊ณ  ํด๋ฆญํ•˜๋Š”๋ฐ, ์ด ๋•Œ Open Redirect๊ฐ€ ์žˆ๋Š” ๊ฒฝ์šฐ ๊ณต๊ฒฉ์ž๊ฐ€ ์˜๋„ํ•œ ์‚ฌ์ดํŠธ๋กœ ์ด๋™์‹œํ‚ฌ ์ˆ˜ ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ๊ฐ€๋ณ๊ฒŒ๋Š” ํ”ผ์‹ฑ๋ถ€ํ„ฐ ์—ฐ๊ณ„๋˜์–ด XSS๋‚˜ ๊ณ„์ • ํƒˆ์ทจ๋“ฑ์—๋„ ์ถฉ๋ถ„ํžˆ ์ด์šฉ๋  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

๐Ÿ—ก Offensive techniques

Detect

ํƒ์ง€ ๋ฐฉ๋ฒ•์€ ๊ฐ„๋‹จํ•ฉ๋‹ˆ๋‹ค. ์‚ฌ์šฉ์ž์˜ ์ž…๋ ฅ์„ ๊ธฐ๋ฐ˜์œผ๋กœํ•œ redirect ํŽ˜์ด์ง€๋ฅผ ์ฐพ์œผ๋ฉด ๋˜๋Š”๋ฐ, ์„œ๋น„์Šค์— ๋”ฐ๋ผ์„œ ์ŠคํŽ™์œผ๋กœ ๋ณด๋Š” ๊ฒฝ์šฐ๋„ ์žˆ์–ด์„œ ๋ฆฌ์Šคํฌ๋ฅผ ์ฆ๋ช…ํ•˜์—ฌ ํ•ด๊ฒฐํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.

Request

GET /redirect?url=https://untrusted.domain HTTP/1.1

Response

HTTP/1.1 302 Found
Location: https://untrusted.domain

Redirect status code

Status code Msg
300 Multiple Choices
301 Moved Permanetly
302 Found
303 See Other
304 Not Modified
305 Use Proxy
307 Temporary Redirect
308 Permanent Redirec

Exploitation

Phishing

๊ธฐ๋ณธ์ ์œผ๋กœ Open redirect๋Š” ํ”ผ์‹ฑ์— ์‚ฌ์šฉ๋  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์‚ฌ์šฉ์ž๋Š” ์‹ ๋ขฐํ•˜๋Š” ๋„๋ฉ”์ธ์˜ ๋งํฌ๋งŒ ๋ณด๊ณ  ์ ‘๊ทผํ•˜๊ธฐ ๋•Œ๋ฌธ์— redirect๋ฅผ ํ†ตํ•ด ์‚ฌ์šฉ์ž์˜ ์ •๋ณด๋ฅผ ํƒˆ์ทจํ•˜๋ ค๋Š” ์œ„์žฅ๋œ ํŽ˜์ด์ง€๋กœ ์ด๋™์‹œ์ผœ ์ •๋ณด๋ฅผ ํƒˆ์ทจํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

XSS

Open redirect๋Š” ๋ณดํ†ต Location ํ—ค๋”๋‚˜ js๋‹จ์—์„œ redirect๋ฅผ ์ง„ํ–‰ํ•˜๋Š”๋ฐ, ์ด ๋•Œ protocol ๊นŒ์ง€ ์ œ์–ด๊ฐ€ ๊ฐ€๋Šฅํ•œ ๊ฒฝ์šฐ ์•„๋ž˜์™€ ๊ฐ™์€ ํ˜•ํƒœ๋กœ XSS๋„ ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.

GET /redirect?url=javascript:alert(45) HTTP/1.1
GET /redirect?url=data:(45) HTTP/1.1

๋‹ค๋งŒ ์ตœ์‹  ๋ธŒ๋ผ์šฐ์ €์—์„œ๋Š” ๋Œ€๋‹ค์ˆ˜๊ฐ€ Location ํ—ค๋” ๊ธฐ๋ฐ˜์˜ XSS๋Š” ์ฐจ๋‹จํ•˜๊ณ  ์žˆ๊ธฐ ๋•Œ๋ฌธ์— JS๋‹จ์—์„œ ์ด๋™๋˜๋Š” ๊ฒฝ์šฐ๋‚˜ ์•„๋ž˜ ๊ธ€๊ณผ ๊ฐ™์ด Location + JS์˜ ๊ฒฝ์šฐ์—๋งŒ ์œ ํšจํ•œ ๋ฐฉ๋ฒ•์ž…๋‹ˆ๋‹ค.

Bypass protection

Host validation bypass

Host bypass์— ์ž์ฃผ ์‚ฌ์šฉํ•˜๋Š” ํŒจํ„ด์€ ์•„๋ž˜์™€ ๊ฐ™์Šต๋‹ˆ๋‹ค.

/redirect?url=javascript:alert(45) HTTP/1.1 url=https://allow_domain.hahwul.com
/redirect?url=https://allow_domain@hahwul.com
/redirect?url=https://www.hahwul.com#allow_domain
/redirect?url=https://www.hahwul.com?allow_domain
/redirect?url=https://www.hahwul.com\allow_domain
/redirect?url=https://www.hahwul.com&allow_domain
/redirect?url=https:///////////www.hahwul.com
/redirect?url=https:\\www.hahwul.com
/redirect?url=https:\/\/www.hahwul.com

https://www.hahwul.com/phoenix/ssrf-open-redirect/#openredirect

Parameter Pollution

/redirect?url=allow_domain&url=https:\\www.hahwul.com

https://www.hahwul.com/2021/06/21/bypass-host-validation-with-parameter-pollution/

With Normalization

https://evil.cโ„€.example.com . ---> https://evil.ca/c.example.com
http://a.com๏ผX.b.com

๐Ÿ›ก Defensive techniques

Redirect ๊ธฐ๋Šฅ์ด ์žˆ๋Š” ํŽ˜์ด์ง€๋Š” ๊ฐ€๊ธ‰์  ํ—ˆ์šฉ๋œ ์ฃผ์†Œ๋ฅผ ์ œ์™ธํ•˜๊ณค ์ ‘๊ทผํ•˜์ง€ ๋ชปํ•˜๋„๋ก ์ œํ•œํ•˜๋Š”๊ฒŒ ์ข‹์Šต๋‹ˆ๋‹ค. ๋งŒ์•ฝ ์™ธ๋ถ€ ๋งํฌ ์ ‘๊ทผ์ด ํ•„์š”ํ•œ ๊ฒฝ์šฐ ์‚ฌ์šฉ์ž์—๊ฒŒ ์•ˆ๋‚ด ๋ฉ”์‹œ์ง€๋ฅผ ์ฃผ๋Š” ๊ฒƒ๋„ ์ข‹์€ ๋ฐฉ๋ฒ• ์ค‘ ํ•˜๋‚˜ ์ž…๋‹ˆ๋‹ค.

1414 NIST์˜ ์™ธ๋ถ€ ๋งํฌ ํŒ์—…

๐Ÿ•น Tools

๐Ÿ“š Articles

๐Ÿ“Œ References

Licensed under CC BY-NC-SA 4.0