77

My website has a redirect page with the format https://my.site/redirect?deeplink=https://foo.bar&...

The redirect is implemented in Javascript, so when you request the site, you get a 200 and some HTML + JS, not a 30X.

I recently started to notice that someone is abusing the redirect page for dubious links (guns, viagra, ...). It was suspicious that the traffic of the page increased by a lot, especially at night, when there should be barely any traffic.

I started to log the requests including referer. The referers seem to be all kinds of different hosts (not the same one every time) but mostly redirect pages themselves. Examples are

I'm actually in control of the URLs that users should be legitimately redirected to, so I implemented a whitelist of valid hosts and started redirecting invalid ones to my start page.

What I'm wondering is, why should someone abuse my redirect page in the described way? And are there any risks I should be aware of?

Improve this question
3

4 Answers 4

Reset to default
120

Assuming that people trust your site, abusing redirections like this can help avoid spam filters or other automated filtering on forums/comment forms/etc. by appearing to link to pages on your site. Very few people will click on a link to https://evilphishingsite.example.com, but they might click on https://catphotos.example.com?redirect=https://evilphishingsite.example.com, especially if it was formatted as https://catphotos.example.com to hide the redirection from casual inspection - even if you look in the status bar while hovering over that, it starts with a reasonable looking string.

The main risks are to your site reputation (it's more likely to get black listed by filtering services if they spot dubious traffic being accessed through it) and to people following these links (who knows what is actually on the other site you're sending them to). It's unlikely to result in compromise of your server directly.

Improve this answer
10
  • 54
    Additionally several Mail-Providers implement link-scanning, where they look at links in emails and even try to open them and scan the contents. They usually do follow 30X redirects, but won't execute JavaScript. So the Link-Inspection software will probably classify your domain as trustworthy and the content of the link as harmless - while the JS on your page will actually send the user to an evil page.
    – Falco
    Commented Aug 8, 2018 at 14:02
  • 2
    One could argue that the blind trust the browser places on redirects (following them without asking the user by default) is a liability.
    – Mindwin Remember Monica
    Commented Aug 9, 2018 at 16:55
  • 11
    @curiousguy Arguably any link that performs such an action via GET is fundamentally broken. A proper unsubscribe should direct to a page with a form that requires a POST submission. (Of course, in the real world, few things are proper.)
    – Bob
    Commented Aug 10, 2018 at 0:40
  • 4
    @Bob exactly - GET requests should be idempotent and without side effects. Most unsubscribe links I know will show a page to you with an unsubscribe button that triggers a POST request
    – Falco
    Commented Aug 10, 2018 at 10:56
  • 2
    @Snow I was referring to HTTP status codes like 301 or 302 which indicate a redirect via http in contrast to redirection via page scripts
    – Falco
    Commented Aug 13, 2018 at 8:52
32

If you have a login page on your site, the bad guys could have used your open redirect to make a more successful phishing page for your users.

From https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet

Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access.

Improve this answer
9

The crux is that using your redirect leverages the good name of your business to get someone to click on the malicious link.

Improve this answer
6

Your website might not be blacklisted, unlike another.

Assuming they were using it to send spam links, it would look more reasonable if it came from a new domain. I would guess they would send spam from your site long enough for it to become blacklisted, at which point they might drop yours and try to find another.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .