Skip to content

[Website Vulnerability] Open Redirect #6306

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
apekz opened this issue May 20, 2017 · 1 comment
Closed

[Website Vulnerability] Open Redirect #6306

apekz opened this issue May 20, 2017 · 1 comment
Assignees
@mastrolinux
Labels
Component: Website Issues related to arduino.cc, but not the documentation content

Comments

@apekz
Copy link

apekz commented May 20, 2017

Hi Arduino,

Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access.

Reference: https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet

I've found a bug in your website which allows authenticated user to redirect to a malware/phishing site and think it's safe because it comes from your site. In this way the users credentials can be hacked.

https://auth.arduino.cc/login?redirect_uri=

redirect_uri is the vulnerable parameter
Let's try to add some website.

https://auth.arduino.cc/login?redirect_uri=https://www.phishingnmalware.com/

If you click that link, you'll get redirected to phishingnmalware.com

Preventing Unvalidated Redirects and Forwards
Safe use of redirects and forwards can be done in a number of ways:

Simply avoid using redirects and forwards.
If used, do not allow the url as user input for the destination. This can usually be done. In this case, you should have a method to validate URL.
If user input can’t be avoided, ensure that the supplied value is valid, appropriate for the application, and is authorized for the user.
It is recommended that any such destination input be mapped to a value, rather than the actual URL or portion of the URL, and that server side code translate this value to the target URL.
Sanitize input by creating a list of trusted URL's (lists of hosts or a regex).
Force all redirects to first go through a page notifying users that they are going off of your site, and have them click a link to confirm.

Best Regards,
Jolan Saluria
@apekz apekz changed the title Open Redirect [Website Vulnerability] Open Redirect May 20, 2017
@facchinm facchinm added the Component: Website Issues related to arduino.cc, but not the documentation content label May 22, 2017
@mastrolinux
Copy link
Contributor

This has been fixed some weeks ago.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mastrolinux mastrolinux

Labels
Component: Website Issues related to arduino.cc, but not the documentation content
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mastrolinux @facchinm @apekz