Merge pull request #542 from digininja/open_redirect

Open redirect

dvwa/includes/dvwaPage.inc.php

@@ -279,6 +279,7 @@ function dvwaHtmlEcho( $pPage ) {
 		if (dvwaCurrentUser() == "admin") {
 			$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'authbypass', 'name' => 'Authorisation Bypass', 'url' => 'vulnerabilities/authbypass/' );
 		}
+		$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'open_redirect', 'name' => 'Open HTTP Redirect', 'url' => 'vulnerabilities/open_redirect/' );
 	}
 
 	$menuBlocks[ 'meta' ] = array();

vulnerabilities/open_redirect/help/help.php

@@ -0,0 +1,57 @@
+<div class="body_padded">
+	<h1>Help - Open HTTP Redirect</h1>
+
+	<div id="code">
+	<table width='100%' bgcolor='white' style="border:2px #C0C0C0 solid">
+	<tr>
+	<td><div id="code">
+		<h3>About</h3>
+		<p>
+		OWASP define this as:
+		</p>
+		<blockquote cite="https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html">
+			Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.
+		</blockquote>
+
+		<p>As suggested above, a common use for this is to create a URL which initially goes to the real site but then redirects the victim off to a site controlled by the attacker. This site could be a clone of the target's login page to steal credentials, a request for credit card details to pay for a service on the target site, or simply a spam page full of advertising.</p>
+
+		<br /><hr /><br />
+
+		<h3>Objective</h3>
+		<p>Abuse the redirect page to move the user off the DVWA site or onto a different page on the site than expected.</p>
+
+		<br /><hr /><br />
+
+		<h3>Low Level</h3>
+		<p>The redirect page has no limitations, you can redirect to anywhere you want.</p>
+		<p>Spoiler: <span class="spoiler">Try browsing to /vulnerabilities/open_redirect/source/low.php?redirect=https://digi.ninja</span></p>
+
+		<br />
+
+		<h3>Medium Level</h3>
+		<p>The code prevents you from using absolute URLs to take the user off the site, so you can either use relative URLs to take them to other pages on the same site or a <a href="https://en.wikipedia.org/wiki/Wikipedia:Protocol-relative_URL" target="_blank">Protocol-relative URL</a>.</p>
+
+		<p>Spoiler: <span class="spoiler">Try browsing to /vulnerabilities/open_redirect/source/low.php?redirect=//digi.ninja</span></p>
+
+		<br />
+
+		<h3>High Level</h3>
+		<p>The redirect page tries to lock you to only redirect to the info.php page, but does this by checking that the URL contains "info.php".</p>
+
+		<p>Spoiler: <span class="spoiler">Try browsing to /vulnerabilities/open_redirect/source/low.php?redirect=https://digi.ninja/?a=info.php</span></p>
+
+		<br />
+
+		<h3>Impossible Level</h3>
+		<p>Rather than accepting a page or URL as the redirect target, the system uses ID values to tell the redirect page where to redirect to. This ties the system down to only redirect to pages it knows about and so there is no way for an attacker to modify things to go to a page of their choosing.</p>
+
+	</div></td>
+	</tr>
+	</table>
+
+	</div>
+
+	<br />
+
+	<p>Reference: <?php echo dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/Password_cracking' ); ?></p>
+</div>

vulnerabilities/open_redirect/index.php

@@ -0,0 +1,60 @@
+<?php
+
+define( 'DVWA_WEB_PAGE_TO_ROOT', '../../' );
+require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
+
+dvwaPageStartup( array( 'authenticated', 'phpids' ) );
+
+$page = dvwaPageNewGrab();
+$page[ 'title' ]   = 'Vulnerability: Open HTTP Redirect' . $page[ 'title_separator' ].$page[ 'title' ];
+$page[ 'page_id' ] = 'open_redirect';
+$page[ 'help_button' ]   = 'open_redirect';
+$page[ 'source_button' ] = 'open_redirect';
+dvwaDatabaseConnect();
+
+switch( dvwaSecurityLevelGet() ) {
+	case 'low':
+		$link1 = "source/low.php?redirect=info.php?id=1";
+		$link2 = "source/low.php?redirect=info.php?id=2";
+		break;
+	case 'medium':
+		$link1 = "source/medium.php?redirect=info.php?id=1";
+		$link2 = "source/medium.php?redirect=info.php?id=2";
+		break;
+	case 'high':
+		$link1 = "source/high.php?redirect=info.php?id=1";
+		$link2 = "source/high.php?redirect=info.php?id=2";
+		break;
+	default:
+		$link1 = "source/impossible.php?redirect=1";
+		$link2 = "source/impossible.php?redirect=2";
+		break;
+}
+
+$page[ 'body' ] .= "
+<div class=\"body_padded\">
+	<h1>Vulnerability: Open HTTP Redirect</h1>
+
+	<div class=\"vulnerable_code_area\">
+		<h2>Hacker History</h2>
+		<p>
+			Here are two links to some famous hacker quotes, see if you can hack them.
+		</p>
+		<ul>
+			<li><a href='{$link1}'>Quote 1</a></li>
+			<li><a href='{$link2}'>Quote 2</a></li>
+		</ul>
+		{$html}
+	</div>
+
+	<h2>More Information</h2>
+	<ul>
+		<li>" . dvwaExternalLinkUrlGet( 'https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html', "OWASP Unvalidated Redirects and Forwards Cheat Sheet" ) . "</li>
+		<li>" . dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client-side_Testing/04-Testing_for_Client-side_URL_Redirect', "WSTG - Testing for Client-side URL Redirect") . "</li>
+		<li>" . dvwaExternalLinkUrlGet( 'https://cwe.mitre.org/data/definitions/601.html', "Mitre - CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" ) . "</li>
+	</ul>
+</div>\n";
+
+dvwaHtmlEcho( $page );
+
+?>

vulnerabilities/open_redirect/source/high.php

@@ -0,0 +1,21 @@
+<?php
+
+if (array_key_exists ("redirect", $_GET) && $_GET['redirect'] != "") {
+	if (strpos($_GET['redirect'], "info.php") !== false) {
+		header ("location: " . $_GET['redirect']);
+		exit;
+	} else {
+		http_response_code (500);
+		?>
+		<p>You can only redirect to the info page.</p>
+		<?php
+		exit;
+	}
+}
+
+http_response_code (500);
+?>
+<p>Missing redirect target.</p>
+<?php
+exit;
+?>

vulnerabilities/open_redirect/source/impossible.php

@@ -0,0 +1,29 @@
+<?php
+
+$target = "";
+
+if (array_key_exists ("redirect", $_GET) && is_numeric($_GET['redirect'])) {
+	switch (intval ($_GET['redirect'])) {
+		case 1:
+			$target = "info.php?id=1";
+			break;
+		case 2:
+			$target = "info.php?id=2";
+			break;
+		case 99:
+			$target = "https://digi.ninja";
+			break;
+	}
+	if ($target != "") {
+		header ("location: " . $target);
+		exit;
+	} else {
+		?>
+		Unknown redirect target.
+		<?php
+		exit;
+	}
+}
+
+?>
+Missing redirect target.

vulnerabilities/open_redirect/source/info.php

@@ -0,0 +1,61 @@
+<?php
+
+define( 'DVWA_WEB_PAGE_TO_ROOT', '../../../' );
+require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
+
+dvwaPageStartup( array( 'authenticated', 'phpids' ) );
+
+$page = dvwaPageNewGrab();
+$page[ 'title' ]   = 'Vulnerability: Open HTTP Redirect' . $page[ 'title_separator' ].$page[ 'title' ];
+$page[ 'page_id' ] = 'open_redirect';
+$page[ 'help_button' ]   = 'open_redirect';
+$page[ 'source_button' ] = 'open_redirect';
+dvwaDatabaseConnect();
+
+$info = "";
+
+if (array_key_exists ("id", $_GET) && is_numeric($_GET['id'])) {
+	switch (intval ($_GET['id'])) {
+		case 1:
+			$info = "Why did he come to you?<br />I got a record, I was Zero Cool<br />Zero Cool. Crashed 1507 systems in one day, biggest crash in history, front page, New York Times August 10th 1988.";
+			break;
+		case 2:
+			$info = "Who are you anyway?<br />Johnny.<br />Johnny who?<br />Just... Johnny?";
+			break;
+		default:
+			$info = "Some other stuff";
+	}
+}
+
+if ($info == "") {
+	http_response_code (500);
+	?>
+	<p>Missing quote ID.</p>
+	<?php
+	exit;
+}
+
+$page[ 'body' ] .= "
+<div class=\"body_padded\">
+	<h1>Vulnerability: Open HTTP Redirect</h1>
+
+	<div class=\"vulnerable_code_area\">
+		<h2>Hacker Quotes</h2>
+		<p>
+			{$info}
+		</p>
+		<p><a href='../'>Back</a></p>
+		{$html}
+	</div>
+
+	<h2>More Information</h2>
+	<ul>
+		<li>" . dvwaExternalLinkUrlGet( 'https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html', "OWASP Unvalidated Redirects and Forwards Cheat Sheet" ) . "</li>
+		<li>" . dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client-side_Testing/04-Testing_for_Client-side_URL_Redirect', "WSTG - Testing for Client-side URL Redirect") . "</li>
+		<li>" . dvwaExternalLinkUrlGet( 'https://cwe.mitre.org/data/definitions/601.html', "Mitre - CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" ) . "</li>
+	</ul>
+</div>\n";
+
+dvwaHtmlEcho( $page );
+
+?>

vulnerabilities/open_redirect/source/low.php

@@ -0,0 +1,13 @@
+<?php
+
+if (array_key_exists ("redirect", $_GET) && $_GET['redirect'] != "") {
+	header ("location: " . $_GET['redirect']);
+	exit;
+}
+
+http_response_code (500);
+?>
+<p>Missing redirect target.</p>
+<?php
+exit;
+?>

vulnerabilities/open_redirect/source/medium.php

@@ -0,0 +1,21 @@
+<?php
+
+if (array_key_exists ("redirect", $_GET) && $_GET['redirect'] != "") {
+	if (preg_match ("/http:\/\/|https:\/\//i", $_GET['redirect'])) {
+		http_response_code (500);
+		?>
+		<p>Absolute URLs not allowed.</p>
+		<?php
+		exit;
+	} else {
+		header ("location: " . $_GET['redirect']);
+		exit;
+	}
+}
+
+http_response_code (500);
+?>
+<p>Missing redirect target.</p>
+<?php
+exit;
+?>

vulnerabilities/view_source.php

@@ -47,6 +47,12 @@
 		case "javascript" :
 			$vuln = 'JavaScript';
 			break;
+		case "authbypass" :
+			$vuln = 'Authorisation Bypass';
+			break;
+		case "open_redirect" :
+			$vuln = 'Open HTTP Redirect';
+			break;
 		default:
 			$vuln = "Unknown Vulnerability";
 	}

vulnerabilities/view_source_all.php

@@ -61,6 +61,12 @@
 		case "weak_id" :
 			$vuln = 'Weak Session IDs';
 			break;
+		case "authbypass" :
+			$vuln = 'Authorisation Bypass';
+			break;
+		case "open_redirect" :
+			$vuln = 'Open HTTP Redirect';
+			break;
 		default:
 			$vuln = "Unknown Vulnerability";
 	}