Http redirect security bypass
Description
This vulnerability occurs when an application automatically follows HTTP redirect responses without validating the target protocol scheme. When a server responds with a 'Location:' header, the application may blindly follow redirects to non-HTTP protocols such as 'file://', 'ftp://', or other URI schemes. An attacker controlling a malicious server can exploit this behavior to redirect victims to local file system resources, potentially exposing sensitive files like configuration data, credentials, or system files.
Remediation
Implement strict validation of redirect target URLs before following them. Specifically:
1. Whitelist allowed protocols: Only permit redirects to safe protocols such as 'http://' and 'https://'. Reject all other URI schemes including 'file://', 'ftp://', 'data://', and custom protocol handlers.
2. Validate redirect destinations: Verify that redirect targets point to expected domains or URL patterns. Consider maintaining an allowlist of trusted domains.
3. Disable automatic redirects: Where possible, disable automatic following of redirects and implement manual redirect handling with validation.
Example implementation (Java):
// Validate redirect URL before following
public boolean isValidRedirectUrl(String redirectUrl) {
try {
URL url = new URL(redirectUrl);
String protocol = url.getProtocol().toLowerCase();
// Only allow HTTP and HTTPS protocols
if (!protocol.equals("http") && !protocol.equals("https")) {
return false;
}
// Optional: Validate against trusted domains
String host = url.getHost();
return isTrustedDomain(host);
} catch (MalformedURLException e) {
return false;
}
}
Example implementation (Python):
from urllib.parse import urlparse
def is_valid_redirect_url(redirect_url):
try:
parsed = urlparse(redirect_url)
# Only allow HTTP and HTTPS schemes
if parsed.scheme not in ['http', 'https']:
return False
# Optional: Validate against trusted domains
return is_trusted_domain(parsed.netloc)
except Exception:
return False