How To Test & Exploit Open/Unvalidated Redirect Vulnerability

open unvalidated redirect vulnerability

Open/ Unvalidated Redirect Vulnerability

Open Redirect or Unvalidated Redirect and forwards is a potential vulnerability in web applications or web pages by exploiting this vulnerability an attacker can redirect web page users to any external link/website, that website may be malicious or a phishing link.
Although developers do pay not so much attention to this vulnerability because it does not have any direct impact on the web application or web pages but it’s a matter of website reputation because the domain name URL is the only thing for the users to identify that website is legitimate or malicious one, An attacker exploit this trust to make simple use their victim. Enough for the introduction now I’m going to show you how to test & exploit open redirect vulnerability.
For testing for unvalidated redirects and forwards, I use Metasploitable 2 Mutillidae (Vulnerable Web Application) & BurpSuite for Penetration Testing

How To Test & Exploit Open/Unvalidated Redirect Vulnerability

First Open your browser and point it on Burpsuite

Now I’m going to open a vulnerable web application

Note: In my example it is http://192.168.1.28/mutillidae/index.php

Now I visit this link http://192.168.1.28/mutillidae/index.php?page=credits.php

On this page I’ve seen many outside links which use the Get Method and parse the value in forward Parameter.

As I’m going to click on the Adrian Crenshaw link and intercept the packet in Burp.

Look at this GET /Mutillidae/index.php?page=redirectandlog.php&forwardurl=http://www.irongeek.com/ HTTP/1.1

Change this to GET /Mutillidae/index.php?page=redirectandlog.php&forwardurl=https://www.appinindore.com/ HTTP/1.1 and click on forward.

Jafar Hasan
Jafar Hasan
About Author
Jafar Hasan is a seasoned cybersecurity professional and a respected educator at one of Indore’s premier ethical hacking institutes. With over a decade of experience in the field, he is dedicated to enhancing online security through ethical hacking practices. Jafar shares his knowledge through insightful articles focusing on cybersecurity and ethical hacking.
With a commitment to ethical practices, he shapes future cyber defenders and is a respected authority in cybersecurity. Trust his expertise to navigate online security complexities and stay updated on the latest developments in this ever-evolving landscape.

Recent Posts

Get a Free Consultation

Get in Touch

First Name*
Last Name*
Phone Number*
Email*
City*
Qualification*
Powered by Bigin

Download Syllabus

Make an Inquiry