Blog Banner 560x315 px (1).jpeg

Introduction

Open redirects are pretty dangerous, not because of their impact but because of how easily they can be hidden. We will be exploring some general tips later on but first we need to explain what open redirects are.

The best way to do that in my experience is by example so we will again be building a lab and hacking it before we try to secure it. Open redirects happen when the application redirects the users but does not check the user is sent to the proper resource. Instead, no check is done and every malicious actor could insert their own link into the request and make it appear as if their website is affiliated with the one they are attacking in order to scam people.

I've foreseen a space on my FTP server where you can create your own labs. You are going to create them, hack them, and secure them before you learn what I mean by using the right filter for the right job.

Make a connection

THE SERVER GETS ERASED EVERY 24 HOURS

[ ] FTP connection: hackxpert.com
- [ ] User: Training
- [ ] Password: test
[ ] Create a new file on the server
- [ ] Use “nickname.php” for example “rat.php” where the nickname can be anything, as long as you can copy and paste it

Let's create an open redirect

Enter the following code in your file and upload it to the server.

<?php

if(isset($_GET['url'])){
$redirect_url = $_GET['url'];
header("Location: " . $redirect_url);
}

?>

<form method="GET">
URL:<input type="text" id="url" name="url"><br>
<input type="submit">	
</form>

Let's hack it

Now you should be able to navigate to https://www.hackxpert.com/Training/YOUR_FILE.php

Since you know what an open redirect is, can you guess what the problem here is?

As you might have been able to guess, the problem occurs because we are easily redirected to any website, no matter which one.

Let's secure it

Let's make a new page, I called it 20.php but you can call it whatever you like. Let's add some security code and upload it again

<?php

echo "<h1>YOUR GOAL? EZZ CHEEZZYYYY!! Just redirect this page to [facebook.com](<http://facebook.com/>) with the below box :)</h1><br>";

if(isset($_GET['url'])){
if(strstr($_GET['url'],$_SERVER['HTTP_HOST'])){
$redirect_url = $_GET['url'];
header("Location: https://" . $redirect_url);
}else{
echo "You can only direct to " . $_SERVER["HTTP_HOST"];
}
}

?>

<form method="GET">
URL:<input type="text" id="url" name="url"><br>
<input type="submit">	
</form>