Question

Attackers could use open redirects by themselves to make their phishing attacks more credible. For example, they could send this URL in an email to a user: https://example.com/login?next=https://attacker.com/fake_login.html.

攻击者可以利用开放重定向来使其网络钓鱼攻击更加可信。例如，他们可以通过电子邮件向用户发送以下 URL：https://example.com/login?next=https://attacker.com/fake_login.html。

Though this URL would first lead users to the legitimate website, it would redirect them to the attacker’s site after login. The attacker could host a fake login page on a malicious site that mirrors the legitimate site’s login page, and prompt the user to log in again with a message like this one:

尽管此 URL 在首次将用户重定向至合法网站，但在登录后会将其重定向至攻击者的网站。攻击者可以在恶意站点上托管一个模拟合法站点登录页面的假登录页面，并提示用户再次登录，如此消息：

Sorry! The password you provided was incorrect. Please enter your username and password again.

抱歉！您提供的密码不正确。请重新输入您的用户名和密码。

Believing they’ve entered an incorrect password, the user would provide their credentials to the attacker’s site. At this point, the attacker’s site could even redirect the user back to the legitimate site to keep the victim from realizing that their credentials were stolen.

用户认为他们输入了错误的密码，然后就会将他们的凭据提供给攻击者的网站。此时，攻击者的网站甚至可以将用户重定向回合法网站，以避免受害者意识到他们的凭据已经被窃取。

Since organizations can’t prevent phishing completely (because those attacks depend on human judgment), security teams will often dismiss open redirects as trivial bugs if reported on their own. But open redirects can often serve as a part of a bug chain to achieve a bigger impact. For example, an open redirect can help you bypass URL blocklists and allowlists. Take this URL, for example:

由于组织无法完全防止钓鱼攻击（因为这些攻击取决于人类判断），因此安全团队通常会认为单独报告的开放重定向漏洞是微不足道的。但是，开放重定向经常可以作为一个漏洞链的一部分，以实现更大的影响。例如，开放重定向可以帮助您绕过 URL 阻止列表和白名单。请参考以下 URL：

https://example.com/?next=https://attacker.com/

This URL will pass even well-implemented URL validators, because the URL is technically still on the legitimate website. Open redirects can, therefore, help you maximize the impact of vulnerabilities like server-side request forgery (SSRF), which I’ll discuss in Chapter 13 . If a site utilizes an allowlist to prevent SSRFs and allows requests to only a list of predefined URLs, an attacker can utilize an open redirect within those allowlisted pages to redirect the request anywhere.

这个 URL 会通过即使是良好实现的 URL 验证器，因为该 URL 在技术上仍然在合法网站上。因此，开放性重定向可以帮助您最大限度地提高服务器端请求伪造（SSRF）等漏洞的影响，这将在第 13 章中讨论。如果一个网站使用白名单来防止 SSRF，并允许请求仅限于一系列预定义的 URL，攻击者可以在这些白名单页面中利用开放式重定向将请求重定向到任何地方。

You could also use open redirects to steal credentials and OAuth tokens. Often, when a page redirects to another site, browsers will include the originating URL as a referer HTTP request header. When the originating URL contains sensitive information, like authentication tokens, attackers can induce an open redirect to steal the tokens via the referer header. (Even when there is no open redirect on the sensitive endpoint, there are ways to smuggle tokens offsite by using open redirect chains. I’ll go into detail about how these attacks work in Chapter 20 .)

您也可以使用开放式重定向来窃取凭据和 OAuth 令牌。通常，当一个页面重定向到另一个站点时，浏览器将包括原始 URL 作为引用 HTTP 请求头。当原始 URL 包含敏感信息，比如身份验证令牌时，攻击者可以通过引用头诱导一个开放式重定向来窃取令牌。即使敏感端点上没有开放式重定向，攻击者仍可以使用开放式重定向链将令牌走私离开站点。这些攻击在第 20 章中详细介绍。