Question

To prevent open redirects, the server needs to make sure it doesn’t redirect users to malicious locations. Sites often implement URL validators to ensure that the user-provided redirect URL points to a legitimate location. These validators use either a blocklist or an allowlist.

为了防止开放重定向，服务器需要确保不会将用户重定向到恶意网址。网站通常实施 URL 验证器，以确保用户提供的重定向 URL 指向合法位置。这些验证器使用阻止名单或允许名单。

When a validator implements a blocklist, it will check whether the redirect URL contains certain indicators of a malicious redirect, and then block those requests accordingly. For example, a site may blocklist known malicious hostnames or special URL characters often used in open-redirect attacks. When a validator implements an allowlist, it will check the hostname portion of the URL to make sure that it matches a predetermined list of allowed hosts. If the hostname portion of the URL matches an allowed hostname, the redirect goes through. Otherwise, the server blocks the redirect.

当验证器实施阻止列表时，它会检查重定向 URL 是否包含某些恶意重定向指示器，并相应地阻止这些请求。例如，一个站点可能会阻止已知的恶意主机名或经常用于开放重定向攻击的特殊 URL 字符。当验证器实施允许列表时，它将检查 URL 的主机名部分，以确保它与预定的允许主机列表匹配。如果 URL 的主机名部分与允许的主机名匹配，则重定向将进行。否则，服务器将阻止重定向。

These defense mechanisms sound straightforward, but the reality is that parsing and decoding a URL is difficult to get right. Validators often have a hard time identifying the hostname portion of the URL. This makes open redirects one of the most common vulnerabilities in modern web applications. We’ll talk about how attackers can exploit URL validation issues to bypass open-redirect protection later in this chapter.

这些防御机制听起来很简单，但实际上解析和解码 URL 非常难以正确执行。验证器通常很难识别 URL 的主机名部分。这使得开放式重定向成为现代 Web 应用程序中最常见的漏洞之一。稍后在本章中，我们将讨论攻击者如何利用 URL 验证问题绕过开放式重定向保护。