Open Redirect Security Feature
Overview
Web applications that redirect the user to another location based on user-controlled input are vulnerable to Open Redirect attacks. In such attacks, the attacker can specify a link to an external site and use that link in an HTTP redirect operation. This attack simplifies phishing attacks. Open Redirect attacks are included in the SANS Top 25 Most Dangerous Software Errors.
Open Redirect vulnerabilities are covered by CWE-601.
This rule provides protection only when user input is received via an API that is enabled in the input declaration of the rule.
The ARMR Redirect security feature can be used to enable protection against Open Redirect attacks.
Given (Conditions)
The user can specify two conditions in the ARMR http rule to enable the ARMR Redirect security feature - input and response.
| input | This allows the user to specify the source of the untrusted data. The following three sources are supported:- http data introduced via HTTP/HTTPS requests |
-
databasedata introduced via JDBC connections -
deserializationdata introduced via Java or XML deserializationThe rule will trigger if the source of the untrusted data matches that specified in the rule.If no value is specified then a default value ofhttpis used.An exception will be thrown if an unsupported value is provided. | | response | This allows the user to specify that protection is required for an HTTP/HTTPS response. |
When (Event)
| open-redirect | This condition allows the user to specify that protection against open redirect attacks is required.This can be declared empty, without any parameters, indicating that protection against open redirects is required for all external domains or IP addresses.Alternatively, the user may specify the following options as a parameter:- options: {exclude: subdomains}This option is useful for applications that require open redirects to sub-domains of the same root domain to be allowed. Specifying the exclude: subdomains option allows all HTTP server-side redirects to URLs as long as the parent sub-domain or root domain is the same as the application's domain. For example:- if the domain of the application is foo.com, then it may be necessary to allow open redirects to sub-domains such as: |
-
bar.foo.com -
example.foo.com
-
if the domain of the application is
something.foo.comthen it may be necessary to allow open redirects to another domain that has the same parent domain, such as:somethingElse.foo.com|
Then (Action)
| protect | Malicious open redirect operations are blocked and an HTTP error code 403 is returned to the browser. If configured, a log message is generated with details of the event. |
| detect | Monitoring mode: the application behaves as normal. Malicious open redirect operations are allowed and no HTTP error is returned to the browser. If configured, a log message is generated with details of the event. |
Examples
The following ARMR http rule switches on the Open Redirect security feature to protect against unauthorized redirects that originate from an HTTP/HTTPS request. The input declaration is omitted therefore a default of http is used.
app("Open Redirect mod"):
requires(version: ARMR/2.2)
http("Protect against open redirect attacks"):
open-redirect()
response()
protect(message: "Protect external redirects.", severity: Very-High)
endhttp
endapp
Logging
When the above ARMR http rule is triggered a log entry similar to the following is generated:
<12>1 2020-08-11T15:33:10.960+01:00 l-qa02 java 3177 - - CEF:0|ARMR:Open Redirect mod|Open Redirect mod|2.2|Protect against open redirect attacks|Execute Rule|Very-High|rt=Aug 11 2020 15:33:10.960 +0100 dvchost=l-qa02 procid=3177 act=protect msg=Protect external redirects. metadata="HeaderInfo":{"remoteAddr":"0:0:0:0:0:0:0:1","requestURI":"/spiracle/SendRedirect","sessionId":"49EFB4F92105EF5ED088C9C207F85170","cookieNames":{"JSESSIONID":"49EFB4F92105EF5ED088C9C207F85170","CUSTOMER_UUID":"05b7b9d7-2046-4014-b8c9-bc53c79790c5"}} redirectLocation=http://www.waratek.com localIpAddress=0:0:0:0:0:0:0:1 localName=ip6-localhost serverName=localhost
Further Examples
The following mod detects open redirect attacks that originate from an HTTP/HTTPS request:
app("Open Redirect mod 2"):
requires(version: ARMR/2.2)
http("Detect malicious open redirect attacks"):
input(http)
response()
open-redirect()
detect(message: "Unauthorized external redirect detected.", severity: High)
endhttp
endapp
The following mod protects against open redirect attacks that originate from various untrusted sources. Logging is switched off by the omission of the log message parameter.
app("Open Redirect mod 3"):
requires(version: ARMR/2.2)
http("Protect against open redirect attacks"):
response()
input(deserialization, http, database)
open-redirect()
protect(severity: 10)
endhttp
endapp
The following mod protects against open redirect attacks that originate from a database source, providing the parent sub-domain or root domain of the redirect URL is the different to the application's domain.
app("Open Redirect mod 4"):
requires(version: ARMR/2.2)
http("Protect against open redirect attacks, excluding subdomains"):
response()
input(database)
open-redirect(options: {exclude: subdomains})
protect(message: "Open redirect attack blocked.", severity: Medium)
endhttp
endapp