Is it safe to redirect to an url like so: "https://example.com/" + userData?

Question

Can I safely use user data when redirecting to an url on my own domain?

Assume that I own example.com. If normal usage of my app would require me to redirect users to urls like this at times, is this ok?

https://example.com/ + userData

Is there anyway this can be used to do an exploit, and run javascript for example? or redirect to some completely different domain?

For the purposes of this discussion, I'd like to:

• ignore directory traversal attacks
• only consider attacks that affect the browser (not the example.com server)

You can assume I'm doing no encoding of the parameter I received from the user at all.

EDIT: Clarification - the userData isn't added to the page in anyway - it only resides in the url itself.

Answer 1

As mentioned in the comments this scenario doesn't seem to be exploitable with the javascript: (or data:, which can also be used to execute JavaScript) pseudo protocol. However, it may be possible to perform a reflected XSS attack, if example.com outputs userData on a custom 404 page. Lets assume that this page displays an error message:

<h1>Page 'userData' not found.</h1>

In this case, if an attacker submits a JavaScript payload (eg: <script>alert('xss');</script>), it will be rendered on the page,

<h1>Page '<script>alert('xss');</script>' not found.</h1>  

and the code may be executed by a visitor. This attack can be prevented by filtering the user data - user input should always be sanitized anyway.

An open redirect exploit does not seem very likely because the user input is appended to the domain, and exploit attempts should result in a 404 response. Of course, if there are other local pages that allow any redirects, then an attacker could use them in their payload, eg:

vulnerable/page?url=http://attacker.com

Note that just because I can't confirm an exploit that doesn't mean that the code isn't vulnerable, depending on the server configuration. We can prevent open redirect exploits by filtering user data based on a list of valid and trusted locations. This may also help with several other attacks targeting the server, such as directory traversal, file inclusion and server side request forgery attacks.

Answer 2

1. This may be point for phishing attack

Attacker may send email pretending to be mail from your site and inject the link alike (I assume “jumper.php” is a page that has single url parameter with target url, that may contain user data):

To verify your account please follow this link: http://example.com/jumper.php?url=http%3A%2F%2Fexample-my.com

In that case, user will see in the mail link started with http://example.com and may assume that this is valid link to your site, but actually he will be redirected to http://example-my.com that may be controlled by attacker (and looks much like your site).

2. In some cases, people are using javascript for redirection

If page contains code like this (php example):

<script>location.replace(<?= json_encode($userData) ?>);</script>

Then, even variable is properly sanitized, attacker may execute arbitrary javascript code in context of http://example.com with redirection to javascript:.... For example:

To verify your account please follow this link: http://example.com/jumper.php?url=javascript%3Aalert%28document.cookie%29

In that case, redirection will transform to

<script>location.replace("javascript:alert(document.cookie)");</script>

and code javascript:alert(document.cookie) (as example) will be executed in context of http://example.com. Sure, attacker may do much more poverfull things with injection arbitrary javascript code code.