- The Guide to Finding and Reporting Web Vulnerabilities
- About the Author
- About the Tech Reviewer
- Foreword
- Introduction
- Who This Book Is For
- What Is In This Book
- Happy Hacking!
- 1 Picking a Bug Bounty Program
- 2 Sustaining Your Success
- 3 How the Internet Works
- 4 Environmental Setup and Traffic Interception
- 5 Web Hacking Reconnaissance
- 6 Cross-Site Scripting
- 7 Open Redirects
- 8 Clickjacking
- 9 Cross-Site Request Forgery
- 10 Insecure Direct Object References
- 11 SQL Injection
- 12 Race Conditions
- 13 Server-Side Request Forgery
- 14 Insecure Deserialization
- 15 XML External Entity
- 16 Template Injection
- 17 Application Logic Errors and Broken Access Control
- 18 Remote Code Execution
- 19 Same-Origin Policy Vulnerabilities
- 20 Single-Sign-On Security Issues
- 21 Information Disclosure
- 22 Conducting Code Reviews
- 23 Hacking Android Apps
- 24 API Hacking
- 25 Automatic Vulnerability Discovery Using Fuzzers
Mechanisms
Websites often need to automatically redirect their users. For example, this scenario commonly occurs when unauthenticated users try to access a page that requires logging in. The website will usually redirect those users to the login page, and then return them to their original location after they’re authenticated. For example, when these users visit their account dashboards at https://example.com/dashboard , the application might redirect them to the login page at https://example.com/login.
网站经常需要自动重定向其用户。例如,当未经验证的用户尝试访问需要登录的页面时,通常会发生这种情况。网站通常会将这些用户重定向到登录页面,然后在它们验证后将它们返回到原始位置。例如,当这些用户访问其帐户仪表板 https://example.com/dashboard 时,应用程序可能会将它们重定向到 https://example.com/login 登录页面。
To later redirect users to their previous location, the site needs to remember which page they intended to access before they were redirected to the login page. Therefore, the site uses some sort of redirect URL parameter appended to the URL to keep track of the user’s original location. This parameter determines where to redirect the user after login. For example, the URL https://example.com/login?redirect=https://example.com/dashboard will redirect to the user’s dashboard, located at https://example.com/dashboard , after login. Or if the user was originally trying to browse their account settings page, the site would redirect the user to the settings page after login, and the URL would look like this: https://example.com/login?redirect=https://example.com/settings . Redirecting users automatically saves them time and improves their experience, so you’ll find many applications that implement this functionality.
为后续将用户重定向到之前访问的位置,网站需要记住在重定向到登录页面前他们想要访问的页面。因此,网站使用某种重定向 URL 参数附加到 URL 上以跟踪用户的原始位置。该参数确定登录后重定向用户的位置。例如,URL https://example.com/login?redirect=https://example.com/dashboard 将在登录后重定向到用户的仪表板,位于 https://example.com/dashboard。或者,如果用户最初尝试浏览其账户设置页面,则网站将在登录后重定向用户到设置页面,URL 看起来像这样:https://example.com/login?redirect=https://example.com/settings。自动重定向用户可以节省他们的时间并改善他们的使用体验,因此有许多应用程序实现此功能。
During an open-redirect attack, an attacker tricks the user into visiting an external site by providing them with a URL from the legitimate site that redirects somewhere else, like this: https://example.com/login?redirect=https://attacker.com . A URL like this one could trick victims into clicking the link, because they’ll believe it leads to a page on the legitimate site, example.com . But in reality, this page automatically redirects to a malicious page. Attackers can then launch a social engineering attack and trick users into entering their example.com credentials on the attacker’s site. In the cybersecurity world, social engineering refers to attacks that deceive the victim. Attacks that use social engineering to steal credentials and private information are called phishing .
在开放重定向攻击中,攻击者通过提供一个重定向到其他网址的合法站点 URL,如 https://example.com/login?redirect=https://attacker.com,来诱骗用户访问外部网站。像这样的 URL 可以欺骗受害者点击链接,因为他们会认为它会导致在合法站点 example.com 上的页面。但实际上,这个页面会自动重定向到恶意页面。攻击者随后可以发起社交工程攻击并诱骗用户在攻击者的网站上输入他们的 example.com 凭据。在网络安全领域中,社交工程是指欺骗受害者的攻击。利用社交工程窃取凭据和私人信息的攻击被称为网络钓鱼(phishing)。
Another common open-redirect technique is referer-based open redirect. The referer is an HTTP request header that browsers automatically include. It tells the server where the request originated from. Referer headers are a common way of determining the user’s original location, since they contain the URL that linked to the current page. Thus, some sites will redirect to the page’s referer URL automatically after certain user actions, like login or logout. In this case, attackers can host a site that links to the victim site to set the referer header of the request, using HTML like the following:
另一种常见的开放式重定向技术是基于 referer 的开放式重定向。 Referrer 是浏览器自动包含的 HTTP 请求头。它告诉服务器请求的来源在哪里。 Referrer 头是确定用户原始位置常见的方式,因为它们包含链接到当前页面的 URL。因此,某些网站会在特定用户操作(如登录或注销)后自动重定向到页面的引荐者 URL。在这种情况下,攻击者可以托管一个站点,链接到受害者站点以设置请求的引荐者头,使用以下 HTML:
<html>
<a href="https://example.com/login">Click here to log in to example.com</a>
</html>This HTML page contains an <a> tag, which links the text in the tag to another location. This page contains a link with the text Click here to log in to example.com . When a user clicks the link, they’ll be redirected to the location specified by the href attribute of the <a> tag, which is https://example.com/login in this example.
这个 HTML 页面包含一个<a>标签,将标签中的文本链接到另一个位置。该页面包含一个链接,文本为“点击此处登录 example.com”。用户点击链接后,将重定向到<a>标签的 href 属性指定的位置,例如在此例子中为 https://example.com/login。
Figure 7-1 shows what the page would look like when rendered in the browser.
图 7-1 显示了在浏览器中呈现时页面的样子。
Figure 7-1 : Our sample rendered HTML page
图 7-1:我们的示例渲染 HTML 页面
If example.com uses a referer-based redirect system, the user’s browser would redirect to the attacker’s site after the user visits example.com , because the browser visited example.com via the attacker’s page.
如果 example.com 使用基于引用者的重定向系统,那么用户的浏览器在访问 example.com 后会重定向到攻击者的网站,因为浏览器是通过攻击者的网页访问 example.com 的。
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论