Cenzic 232 Patent
Paid Advertising
web application security lab

Redirection Perils

John Herron brought my attention to an article he posted on NIST.org (Network Information Security Technology) where he discusses redirection holes and their practical security issues. I think he does a really good job of explaining the problem, where I might have failed over the last few weeks. From a web-application security threat, the problem is relatively low, but from a social engineering, and obfuscation perspective the threat is still not properly understood, in my opinion.

One thing he mentions in his article is something I have attempted to demonstrate on the bottom of the XSS Cheat Sheet, which is that URL obfuscation can further make this issue more difficult to both detect and to even see. He’s really done a good job of showing something I haven’t discussed, which is that by adding extra parameters, it can make it nearly impossible to tell what is going on. It’s worth reading if you still think redirection is a non-issue.

3 Responses to “Redirection Perils”

  1. phaithful Says:

    I knew about dWord, but I especially like the p-pal phishing reference. Nice twist.

  2. phaithful Says:

    Actually… now that I think of it… the parameter twist would work very well on Yahoo.

    Before all the organic listings in Yahoo’s SERPS showed the destination URLs in the status bar and you were able to tell which listings were paid inclusion and which were not by the redirecting parameter riddled URLs.

    However, as of today all of Yahoo URLs now use the rds.yahoo.com redirect. They now track all click throughs for all organic listings.

    e.g. http://rds.yahoo.com/_ylt=A0geuugnQrNETE8A371XNyoA;_ylu=X3oDMTB2c2Zzc202BGNvbG8DZQRsA1dTMQRwb3MDMwRzZWMDc3IEdnRpZAM-/SIG=11gv3e6l5/EXP=1152684967/**http%3a//ha.ckers.org/xss.html

  3. RSnake Says:

    Yup, you got it, redirection is getting easier and easier to fool the naked eye. It’s next to impossible to tell where something is going without actually clicking on it. And a really crazy URL like that doesn’t make matters any easier. It just hurts your brand.