GitHub - qeeqbox/open-redirect: A threat actor may send a malicious redirection request for a vulnerable target to a victim; the victim gets redirected to a malicious website that downloads an executable file

A threat actor may send a malicious redirection request for a vulnerable target to a victim; the victim gets redirected to a malicious website that downloads an executable file

Example #1

Threat actor crafts an email with a malicious redirection request for a vulnerable target and sends the email to a victim
The victim clicks on the email and sends the request to the vulnerable target
The target processes the malicious redirection request back to the victim
The victim's browser redirects the user to a malicious website

Code

Target-Logic

app.post("/weclome", (request, response) => {
    if (request.redirect){
        res.redirect(req.query.redirect);
    } else {
        res.redirect("/")
    }
});

Target-In

?redirect=test.com

Impact

Medium

Names

Open Redirect

Risk

Redirect users

Redemption

Input validation

Require

Social Engineering

ID

cea84b63-1552-47ad-a160-503f1c913390

References

wiki

Name		Name	Last commit message	Last commit date
Latest commit History 4 Commits
LICENSE		LICENSE
README.md		README.md
open-redirect.drawio		open-redirect.drawio
open-redirect.png		open-redirect.png

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Example #1

Code

Target-Logic

Target-In

Impact

Names

Risk

Redemption

Require

ID

References

About

Sponsor this project

License

qeeqbox/open-redirect

Folders and files

Latest commit

History

Repository files navigation

Example #1

Code

Target-Logic

Target-In

Impact

Names

Risk

Redemption

Require

ID

References

About

Topics

Resources

License

Code of conduct

Stars

Watchers

Forks

Sponsor this project