URL Redirection vulnerability, Python creates URL redirection vulnerability detection script

Objective:

Today I learned the redirect vulnerability, this vulnerability is better understood

Vulnerability Name: URL Redirection Vulnerability

Threat: Low

The source of the vulnerability: developers to the head of the corresponding filtering and restrictions

Example:

Vulnerable sites: http://a.com/x.php?url=http://a.com/login.php

At this point we go to the specified page by writing a link behind the URL. Example: http;//a.com/x.php?url=http://www.baidu.com

Vulnerabilities that can be used in conjunction with:

CSRF when a Web site has a CSRF vulnerability, you know the link to create a background administrator. Modify the link to apply a URL redirection vulnerability. In a short chain generation

Storage XSS When a Web site has a storage-type XSS vulnerability, you insert a cookie-stealing JS. Cooperate with URL redirection vulnerability to allow victims to jump directly to this page

Body:

Here we use Bwapp, the vulnerability Web site, for URL redirection testing.

http://192.168.3.41/bWAPP/unvalidated_redir_fwd_1.php

Unfiltered Redirect and forwarding

Click the beam button to jump to

Open the Burpsuite grab a bag and see

The parameters are found to be such url=xxxx&form=submit

Send to Repeater

Modify Url=http://www.baidu.com

Generate 302 jumps. Jump page for http://www.baidu.com

Go back to the location to put the package a look, jump

Intermediate attempts

Grab a bag like that

Directly to change the chain, found jumping back to the login page. A careful comparison found that intermediate defenses were judged by the setting of cookies

Change it to 0 after changing its URL to the parameters, jump directly

Advanced attempts

Advanced and intermediate defenses are no different. Just change the value after the cookie to 2. Change the link settings to the blog Park link directly to 0

Blog Park here to go through two times jump

Verify the URL redirection of the vulnerability pin in this code:

ImportRequests,timedefPOC (): User=input ('Please enter the Web site to be tested:') User2=input ('Please enter the parameters want to bring in:') Values=user2.strip (). Split ('?') [-1] Params={}     forLineinchValues.split ('&'): Key,value=line.split ('=', 1) Params[key]=valuePrint('URL:', user)Print('The parameters you have taken is:', params) time.sleep (0.2)    Print('If you want to change the parameters, please enter Y')    Print('Do not need to change to enter n') User3=input ('Do your want to change your parameters[y/n]:')    ifUser3 = ='y':         whileTrue:Print('Please enter the name of the parameter-want to Change{name:value}')          Print(params) user4=input ('Please fill in the name:') User5=input ('Please enter the value of want to change:') params['{}'. Format (USER4)]='{}'. Format (USER5)Print('the change was done, and your current parameter is', params) User6=input ('Want to continue to love the parameters more[y/n]?:')          ifUser6 = ='y':              Continue          elifUser6 = ='N':               Break          elifUser6 = ="':               BreakURL=User.strip () headers={'user-agent':'mozilla/5.0 (Windows NT 6.1; WOW64) applewebkit/537.36 (khtml, like Gecko) chrome/39.0.2171.71 safari/537.36'} rest=requests.get (Url=url,headers=headers,timeout=6,params=params, allow_redirects=False)Print('Http_code:', Rest.status_code)Print(rest.headers)Try:        Print(rest.headers[' Location'])        ifrest.headers[' Location'] =='http://www.baidu.com':            Print('[*]there is a URL redirection vulnerability in this link')        Else:            Print('[+]there is no URL redirection vulnerability in this link')    except:        Print('[-]not location head') POC ()

The results of the operation are as follows:

Summarize:

Although the vulnerability is not a high threat, it should be defended. There are several ways to defend against this:

The state parameter can be used to prevent cross-site attacks, verifying that the 302 jump back to the request with the code parameter was forged by the attacker, preventing the attacker from falsifying the request.

For the external chain attack, all external links can be added to the HTML5 browser-enabled environment, and rel=noreferrer for the old version of IE, the processing scheme is to use an HTTPS to jump to achieve the effect of erasing referer.

PHP gets retferer judgment to prevent unauthorized access: http://www.90tec.com/iwork/20.html

The second one I don't like, the others are okay

URL Redirection vulnerability, Python creates URL redirection vulnerability detection script