Hey it’s been a while since,it posted here,so from today i am starting a new series called secure-code reviews,as part of my appsec preparation.I hope this series will helpful to you in finding vulnerablities and writing secure code.

So,Few days a ago i found a GitHub repo Which contains some secure code review challenges,so i will using this repo.currently it has like some 17 (as of writing this post) challenges based on different vulnerablities and the first challenge is based on Open redirect .

Open Redirect Vulnerablity.

Now,Before diving into the challenge,let’s talk about what a Open Redirect Vulnerablity is.So According to PortSwigger Academy,

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the correct domain and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.

And After Reading this,I didnt understand anything,So i asked gpt to make it easier for me to understand so i will try to explain according to my understanding .

So,an open redirect vulnerality occurs,when the web application doesnt sanitise the user input,and then redirects to the desired url provided by the user.Let’s go with an example

Let’s Say We have a Web application running on :http:\\crazyyapp.com/redirecturl=

Now here,We have a parameter called redirecturl, which will take the user input.so when a user put a url in that parameter,the application will redirect to the provided url.

Now let’s go head to the challenge.

Here,We have a Python Flask code.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

from flask import Flask, request, redirect, url_for
import logging

app = Flask(__name__)

logging.basicConfig(level=logging.INFO)

def is_authenticated_user():
    # This function checks if the user is authenticated and is omitted for brevity
   pass

@app.route('/')
def home():
    if not is_authenticated_user():
        logging.info('Unauthorized access attempt.')
        return redirect(url_for('login'))

    redirect_url = request.args.get('redirect_url')
    if redirect_url:
        logging.info(f'Redirecting to: {redirect_url}')
        return redirect(redirect_url)

    return 'Welcome to the home page!'

@app.route('/login')
def login():
    # Simulated login page
    return 'Login Page - User authentication goes here.'

if __name__ == '__main__':
    app.run(debug=False)

We have Some functions here,we have is_authenticated_user ,login and home.Here as the only function we need to focus is home.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

@app.route('/')
def home():
    if not is_authenticated_user():
        logging.info('Unauthorized access attempt.')
        return redirect(url_for('login'))

    redirect_url = request.args.get('redirect_url')
    if redirect_url:
        logging.info(f'Redirecting to: {redirect_url}')
        return redirect(redirect_url)

    return 'Welcome to the home page!'

Now as we can see,the user input is stored in the redirect_url variable,and then it’s get redirected to it without any user santization.Hence this code is vulnerable to open redirect vulnerablity.

More Info :

Open Redirect

Open Redirect Lab