- From: Chris Weber <chris@lookout.net>
- Date: Tue, 07 Feb 2012 09:10:42 -0800
- To: Martin Thomson <martin.thomson@gmail.com>
- CC: Julian Reschke <julian.reschke@gmx.de>, Anne van Kesteren <annevk@opera.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 2/7/2012 8:38 AM, Martin Thomson wrote: > I don't see the problem. So I ask to modify X, but then X points me to > Y, so I either automatically modify Y, or require confirmation before > doing so. There isn't a security problem. X has the information and > could forward to Y itself. Within the security community the issue has been termed "Open Redirect" and has been well documented here http://cwe.mitre.org/data/definitions/601.html and here https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards as well as other places. It's not a vulnerability by itself but has been heavily abused by phishing attacks over the years. As such, any security review or penetration test performed today will flag open redirects as an issue that needs to be addressed. To protect their users, many top applications have built in 'safe redirect' protections that allow same-origin redirects and either disallow or prompt the user before allowing redirection to third-party domains. >From my point of view it's the job of the applications to implement safe redirection protection, and several libraries already exist for this. If users started seeing prompts for all offsite redirects I'm sure that they'd just end up clicking the check box to 'never show me this message again.' Best regards, Chris Weber
Received on Tuesday, 7 February 2012 17:13:22 UTC