url redirection and jump vulnerability

Posted by punzalan at 2020-04-17

URL jump vulnerability

URL jump vulnerability refers to a vulnerability in which the background server fails to verify the validity of the redirection address passed in by the client when it tells the browser to jump, resulting in the user's browser jumping to the phishing page.

Usage scenarios

Now many web logins have access to QQ, wechat, Sina and other third-party logins. Taking QQ third-party authorized logins as an example, when we call QQ authorization server for authorization, we will be participating in

In the data, the redirect URL address is passed in to inform the QQ authorization server. After the authorization is successful, the page will jump to this address, and then log in to the site. But if your redirect address is

In the process of transmission, it has been tampered with as a phishing URL, which is to cause the authorized information of users to be obtained illegally. Of course, QQ third party login also has its own strategy, that is, access to QQ third party

The login application will configure the related jump white list on the developer platform. Only the domain name, sub domain name or URL belonging to the white list can the QQ authorization server jump. If it is found that the redirect

If it is legal, it will jump to the illegal page.

Defensive strategy

According to the above scenario analysis, we know that the reason for the jump URL vulnerability is that the server does not verify the validity of the jump address passed by the client. Therefore, this attack is prevented

Click to verify the jump URL passed by the client.

Common methods:

The server is configured to jump to the white list or domain name white list, only for the legal URL

Here is the code for the PHP server to verify the jump URL passed by the client: