Open Redirect in openwhyd/openwhyd
Reported on
Dec 5th 2021
Description
This vulnerability was discovered in
Hereby @mdakh404. However, it is not patched properly and I bypassed with a simple trick.
r.html = mainTemplate.renderWhydPage(r);
}
// call the adequate renderer
- if (r.redirect) response.redirect(r.redirect);
+ if (r.redirect) response.safeRedirect(r.redirect);
else if (r.html) response.renderHTML(r.html);
else response.renderJSON(r);
// and track visit to that page
// https://github.com/openwhyd/openwhyd/commit/eb7a0e0cc7a6fc13b24490cfc515358489633a01#diff-55cf206bea85b4152b39d303c4ca205c9e5b7ad4e459f31cf897be7551ca45e4
First, I checked how it was patched. When I checked the patch, I could see that when redirecting in consent.js, the redirect() method was replaced with the safeRedirect() method.
);
};
+ // TODO: this function is overrided by Express => delete it to prevent ambiguity
http.ServerResponse.prototype.redirect = function (url) {
return this.renderHTML(loggingTemplate.htmlRedirect(url));
};
+ http.ServerResponse.prototype.safeRedirect = function (url) {
+ const fullURL = new URL(url, config.urlPrefix);
+ if (!fullURL.toString().startsWith(config.urlPrefix)) return this.forbidden();
+ this.redirect(url);
+ };
+
http.ServerResponse.prototype.redirectWithTracking = function (url, title) {
return this.renderHTML(
loggingTemplate.renderRedirectPageWithTracking(url, title)
// https://github.com/openwhyd/openwhyd/commit/eb7a0e0cc7a6fc13b24490cfc515358489633a01#diff-852ce8e613d24ce649f8590a2661ba293b6043c9105024a8070f14ce8833a48d
The safeRedirect() method has been added to logging.js. However, Look at the safeRedirect() method, you can see that it is flawed...
+ if (!fullURL.toString().startsWith(config.urlPrefix))
Look at the conditional statement! Parse the value of url using the URL() constructor, and put it as a fullURL variable. After that, Look at the if statement, the default value of fullURL is converted to a string and used and compared with the urlPrefix value. The default value of the URL() modifier is href , not the origin, host, or hostname values.
Look at the picture above. A flaw can be circumvented using a simple trick. Need to use origin, host, hostname to validate the url!
Proof of Concept
1. Open the https://openwhyd.org/consent?redirect=https://openwhyd.org@google.com
2. If you click the button after agreeing to the terms and conditions, you will be redirected to Google.
Impact
Open Redirect can do additional damage by redirecting you to a malicious site.
Good catch, thanks for submitting! I'm working on a fix: https://github.com/openwhyd/openwhyd/pull/498 Feedback is welcome.