URL Jump Vulnerability

Vulnerability description

The server does not check and control the incoming jump URL variables, which can cause any malicious address to be maliciously constructed, inducing the user to jump to a malicious Web site.
Because it is from the trusted site to jump out, users will be more trust, so the jump vulnerability is generally used for phishing attacks, by going to malicious Web site to deceive users to enter user name and password to steal user information, or deceive users to carry out money transactions; You can also create an XSS vulnerability
Vulnerability detection

Modify the legitimate URL in the parameter as an illegal URL, and then see if you can jump normally or if the response package contains any constructed URLs bypass URL jump restrictions use Hello to bypass restrictions

For example: HTTP://WWW.AAA.COM/ACB? Url=http://login.aaa.com This is a jump link, jump to its two-level domain name, then this question mark where can be bypassed. In fact, it is placed in front of its own domain name that you add want to jump to the back of the domain name, such as: HTTP://WWW.AAA.COM/ACB? Url=http://test.com?login.aaa.com. So, it is actually going to jump to this test.com domain name, this domain name is I want to jump any domain name, and the back of its own domain name must be brought, do not have to help with the question mark? This feature to jump to the specified domain name, and after the jump, the question mark and question mark after the content will become this: http:// Www.test.com/?login.aaa.com uses backslashes and forward slashes to bypass restrictions

For example: http://www.aaa.com/acb?Url=http://login.aaa.com/is also in its own domain name Money plus forward slash, and then forward slash front with you want to jump to the domain name address
such as: http://www.aaa.com/acb?Url=http://test.com/login.aaa.com
There are three ways to counter slash
(1) Two backslash bypass method
For example: http://www.aaa.com/acb?Url=http://login.aaa.com/is also in its own domain name Money plus two backslashes, and then two backslashes before you want to jump the domain name address
such as: http://www.aaa.com/acb?url=http://test.com\\login.aaa.com
(2) A backslash bypass method
such as: http://www.aaa.com/acb?url=http://test.com\login.aaa.com
(3) Another idea, a backslash a point
Use. This format, which is a backslash plus a point to skip the limit,
such as: http://www.aaa.com/acb?url=http://test.com\.login.aaa.com use @ Bypass URL restrictions

If you use this method to jump in Firefox, there will be window tips, in other viewers do not.
such as: Http://www.aaa.com/acb?url=http://login.aaa.com@test.com behind the test.com is to jump to the domain name, the previous domain name is used to assist in bypassing the restrictions of the use of # number around

such as: http://www.aaa.com/acb?Url=http://test.com#login.aaa.com use white list defect bypass limit

Some domain name whitelist restrictions are not complete, for example, if you want to use a jump, and this jump is universal, in this company site many subdomains can jump, then you buy a domain name is not expensive right, why so, this problem is the white list of limitations, such as, When the domain name of the jump contains all the domain names under this site, such as: HTTP://WWW.AAA.COM/ACB? Url=http://login.aaa.com, this login.aaa.com can also be changed to AAA.com can also jump to it, because the white list as long as there is included in this domain name directly successful jump. Then when I add in front of this domain name such as testaaa.com, white list will check whether contains aaa.com this domain name, contains, and then direct jump, and did not check the entire information of this domain name, then can use this problem, directly register a testaaa.com this domain name can use this jump. Multiple Authentication & Jump Bypass Restrictions

Now many sites have multiple authentication, such as your login account will appear after another verification page, input phone verification code to verify, at this time the above URL is likely to have arbitrary jump problem.
Multiple jump problems cause the URL limit to be bypassed
Like http://www.aaa.com/acb?Url=http://login.aaa.com/acb?url=http://login.aaa.com. Of course, there are multiple, this structure of multiple jumps you modify the most behind the URL can reach any URL jump, the middle of the URL is not necessary to move. Click Trigger to reach bypass URL jump limit

For example, many landing pages where the URL is a jump URL, such as: http://www.aaa.com/acb?Url=http://test.com. You have directly modified the following for any URL, but still stay in place, it seems that there is no problem, but, when you enter the account and password click the login button, it will trigger the jump, of course, this account and password is not necessarily right, can be, but depending on the system and set it. This I encountered a lot of, such as you modify the domain name, and then click Login, landing after the success can trigger jump, which is a relatively covert bypass URL restrictions jump. Bypassing trusted site restrictions with hyperlinks

such as a URL, it can be directly jump, But the general test jump when you are accustomed to using www.baidu.com or qq.com such a trusted site for testing, but some sites can jump these sites, as long as it is a trusted site and commonly used, basic can jump, then this is the normal business logic. Do you miss a URL jump bug? In fact, as long as your URL has been included in Baidu, then directly search your domain name, site:xxx.xxx because you click your domain name in Baidu, it will first a 302 jump, and this 302 jump is Baidu under the 302 jump, so you can bypass the limits of trusted sites, To achieve the jump to the specified URL, of course, Baidu this 302 a bit long, you give it to encrypt on the line. URL jump in post parameter

Of course, this effect is very small, such as when you fill out what form or need to fill in what, when you upload pictures, click Next, usually the next step is to preview the information you fill out, the last is submitted, when you upload the picture after clicking Next Grab bag, if the filter is not strict, You will see that the full address of the picture is included in the post parameter, you can directly modify this address for any URL, and then reach the next step, then is to determine the information that is to preview the information you filled out correctly or incorrect, because you have just modified the image address, here is not shown, the image will be a small xx , when you click on the Picture right button to choose to view the image, will trigger the URL jump problem, in fact this can also be used to carry out fishing, fishing backstage auditor information, for what, such as audit see pictures can not load, will generally click to view the picture, and then jump, if the security awareness will cause security impact.

Of course, if the post parameter is just a URL jump parameter, then you can turn it into get way, and then jump on it, as long as the site to support such a get way on the line, in the Burp suite can be a key conversion submission, right button select Change Request Method is OK. Using Xip.io to bypass

Request is Http://www.127.0.0.1.xip.io this bypass is in the ssrf scene of the bypass, such as ssrf you want to read the intranet address, generally have made restrictions, you can try this method to bypass the restrictions, and thus access to the intranet.
Another point, url jump involved in the security issues common is fishing, then use this idea can also reach a fishing problem, such as, Http://www.qq.com.220.181.57.217.xip.io when you visit the domain name QQ, In fact, this link has been resolved to the following IP address, then the actual access is the IP address behind this. How to fix a bug

1. If the jump URL in advance can be determined, including the URL and parameter values, you can configure the first in the background, URL parameters only need to pass the index of the corresponding URL, through the index to find the corresponding specific URL and then jump;
2. If the URL of the jump is not determined in advance, but its input is generated by the background (not the user through the parameters of the descendants), you can first generate a good jump link and then signed, and jump CG first need to verify the signature through to jump;
3. If 1 and 2 are not satisfied, the URL can not be determined in advance, only through the front-end parameters, you must be in the jump when the URL in accordance with the rules check: that is, the control URL is your company authorized white list or is in line with your company rules URL:
function Checkurl (sURL) {
Return (/^ (https?:\ /\/)? [\w-.] +. (yourdomaina|yourdomainb|yourdomainc). COM ($|\/|\)/i). Test (sURL) | | (/^[\w][\w\/.-_%]+$/i). Test (sURL) | | (/^[\/\][^\/\]/i). Test (sURL)? True:false;
}

4.XSS vulnerability considerations: Jump URL Detection also added CRLF Head Injection vulnerability detection logic, specifically in the request parameters to add%0d%0a This test code, these parameters need to delete processing (in fact: in the judgment to a parameter contains%00->%1f Control characters are illegal and need to be deleted.

Go from: http://www.y-hkl.top/2018/01/11/URL%E8%B7%B3%E8%BD%AC%E6%BC%8F%E6%B4%9E/