I have a members area on my site where if a user is not logged in, they are redirected to the login url with ?redirect=[CURRENT_URL] and they are redirected back to [CURRENT_URL] once they successfully login.
What are the potential security issues with this approach, how to prevent them and what are the alternatives?
e.g. a malicious user can link to my site with a redirect link to another site, would that other site be able to steal my user's login cookie? Is it possible to run arbitrary javascript on my site with this approach?
If current url is not redacted, you can be subject to
etc
If you know current URL is a constant and has NO parameters, it's not as risky. As soon as you add parameters or make the url based on user input, trickiness ensues.
A trivial example of XSS:
Say your url can have a query string injected via user input. Then what stops them from saying
redirectUrl="yoursite.jsp?somevariable="alert('malware')"); or redirectUrl="yoursite.jsp?somevariable="alert(document.cookies)");
And stealing your cookies or executing other evil java script.
Response splitting is more complicated. Basically if you can inject a CRLF you can do some very whacky things.
Wikipedia has a decent explanation of this vulnerability - there are others you can find by googling for http response splitting.
I've left out the most obvious attack which is if the user can control the url they can go to a site that LOOKS like yours and convince the user to enter credit cards, credentials etc. Eg if you are a bank, and someone can inject
redirectURL="http://myfakebank.com"
and copies your page, gosh, the user will happily say "Sure, I'll reeenter my credentials"
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With