[VIM] Open redirects - yes or no?

security curmudgeon jericho at attrition.org
Wed Apr 30 19:06:33 UTC 2008

: But, I've noticed that other VDBs aren't necessarily covering these.

OSVDB typically adds these.

: My rationale for inclusion in CVE is that open redirects are useful for 
: redirecting a user from a legitimate site to a malicious site where the 
: malicious site is either used for phishing or drive-by exploitation.  I 
: suspect that many implemented redirects would be automatic, so in the 
: drive-by example it's irrelevant if a cautious user looks at the 
: browser's address bar, as the malware probably would have already 
: implanted itself.  This usually is not intended by the program serving 
: up the URL, and so it's technically a security issue because of the 
: violation of the program's intended security policy. At least that's my 
: general reasoning.
: The attack topology has things in common with reflected XSS 
: (attacker-to-user-who-clicks), which I think is generally treated as a 
: security issue even if it's typically user-assisted.  And I suspect 
: there might be some stored-XSS-style attacks too.
: What do others think of this?

The phishing vector is what warrants inclusion in my mind. When doing 
application tests, we ding clients for this as well, especially financial 
groups. Redirects should only work for the same site, any external 
redirects should go to a logout/splash page indicating the user/customer 
is leaving the legitimate site. If that is in place, we don't ding the 
client at work, and we don't add it to OSVDB.


More information about the VIM mailing list