Yet Another Form of Injection Attack: Web Redirects
Brian Kreb's Security Fix discusses some research out of Indiana University on how phishers and others can use open redirects in legitimate Web sites. In addition to the clear examples of hacked redirects Krebs provides, I add that this is yet another example of an injection attack that stems from the way software engineers design modular software.
Software engineers and programmers are taught from Day 1 that programs should be broken down into logical units of work with minimal dependencies between modules. The way to accomplish this kind of decoupling is to parameterize procedures. Need to do slightly different things in different parts of the code? No problem, add a parameter to the procedure and let the calling code tell you what it needs. This works well in monolithic programs that are only called by other pieces of known, controlled code but it falls down with open systems like the Web or when the parameter comes from an untrusted user.
Dynamic Web redirects that take the destination as a parameter creates the possibility to substitute a phishing site, or other malicious destination, for a legitimate site. The problem is when there is no verification before the redirect is executed. Whitelists can be used to verify destinations before executing, for example. More details are available in the researcher's paper (pdf).
Programming techniques that worked well in the past still work well but require additional attention to security in open environments. The old adage "trust, but verify" should come to mind every time we add an open access parameter to an application.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
