How To Test & Exploit Open/Unvalidated Redirect Vulnerability

Open/ Unvalidated Redirect Vulnerability

Open Redirect or Unvalidated Redirect and forwards is a potential vulnerability in web applications or web pages by exploiting this vulnerability an attacker can redirect web page users to any external link/website, that website may be malicious or a phishing link.
Although developers do pay not so much attention to this vulnerability because it does not have any direct impact on the web application or web pages but it’s a matter of website reputation because the domain name URL is the only thing for the users to identify that website is legitimate or malicious one, An attacker exploit this trust to make simple use their victim. Enough for the introduction now I’m going to show you how to test & exploit open redirect vulnerability.
For testing for unvalidated redirects and forwards, I use Metasploitable 2 Mutillidae (Vulnerable Web Application) & BurpSuite for Penetration Testing

How To Test & Exploit Open/Unvalidated Redirect Vulnerability

First Open your browser and point it on Burpsuite

Now I’m going to open a vulnerable web application

Note: In my example it is

Now I visit this link

On this page I’ve seen many outside links which use the Get Method and parse the value in forward Parameter.

As I’m going to click on the Adrian Crenshaw link and intercept the packet in Burp.

Look at this GET /Mutillidae/index.php?page=redirectandlog.php&forwardurl=http://www.irongeek.com/ HTTP/1.1

Change this to GET /Mutillidae/index.php?page=redirectandlog.php&forwardurl=https://www.appinindore.com/ HTTP/1.1 and click on forward.



Get a Free Consultation

Make an Inquiry