4

The NSA has a page that intercepts redirections off the primary site. (click "TLS: "Suite B Cipher Suites for TLS," RFC 5430" for an example).

I've seen this used in Exchange Outlook Web Access (OWA) to prevent information disclosure through the referer: header.

  • What type of information would be risky to disclose via a referer: header?

There seems to be two different approaches here: The NSA requires the user to "click off" the site, while OWA allows for HTTP redirection to handle this privacy feature.

  • Which is a better approach? Click to redirect, or HTTP 301/302 redirection

The "automatic" approach seems to lend itself to abuse and possible XSS attacks.

  • If a 301/302, or Javascript redirection to an external URL is used, what additional security precautions must be taken place?
makerofthings7
  • 50,488
  • 54
  • 253
  • 542

2 Answers2

3

What type of information would be risky to disclose via a referrer: header?

Any kind of private or sensitive information shouldn't be exposed to external websites - it all depends on your application. The most common things to consider are:

  • session IDs (you can sometimes see them in URL params like ?PHPSESSID=....)
  • user ids / resource ids (they may give a hint to 3rd party on who exactly the user is)
  • any kind of sensitive tokens like anti CSRF tokens, confirm action tokens, account activation tokens etc.
  • some sensitive user data e.g. search terms he used on your website.

Which is a better approach? Click to redirect, or HTTP 301/302 redirection

30x redirect is perfectly fine from the technical point of view as it will lose the Referer header. Consider using a 'click to redirect' if you want to inform your users about the redirection happening.

If a 301/302, or Javascript redirection to an external URL is used, what additional security precautions must be taken place?

For example, imagine that attacker sets up a phishing site with your site design and a spoofed login form and uses your open redirection to drive users into his website, gathering their logins and passwords. For example, he might send out spam campaign with the URLs pointing to your redirection script. It's a common security vulnerability commonly called open redirection. Click through protection would be better in this regard as the users would be informed about the redirection happening, but it's much much better to have a process of manual/semi-automatic validation of redirect targets so that you can monitor for malicious URLs and block them.

You'll never have a total control over the target URLs as there are many ways for the attackers to hide the malicious content from you, but having a process ready to block unwanted URLs will allow you to develop better filters, blacklist common domains or implement a greylisting feature: for known good URLs a 301 redirect, for known bad - 501, and for all the others - user confirmation. This is what Facebook does more or less.

Krzysztof Kotowicz
  • 4,068
  • 20
  • 30
1

As far as I know, automatic redirection is fine, as long as you control what it will redirect to. It's probably best to avoid creating an open redirector (there is some controversy over whether open redirectors are worth worrying about or not, but I tend to think it's better to avoid them). The page for redirecting users should take care to ensure there are no secrets in its URL.

D.W.
  • 98,860
  • 33
  • 271
  • 588