$ docker pull blabla1337/owasp-skf-lab:url-redirection
$ docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:url-redirection
{% hint style="success" %} Now that the app is running let's go hacking! {% endhint %}
First, make sure python3 and pip are installed on your host machine. After installation, we go to the folder of the lab we want to practise "i.e /skf-labs/XSS/, /skf-labs/jwt-secret/ " and run the following commands:
$ pip3 install -r requirements.txt
$ python3 <labname>
{% hint style="success" %} Now that the app is running let's go hacking! {% endhint %}
The application shows that there is a new version of the website available somewhere, and a click on the button "Go to new website" will redirect you to it.
If we click on the button we will be redirected on the new page http://localhost:5000/newsite
Intercepting the traffic generated by the application, we note that the redirection is performed using the following call
GET /redirect?newurl=newsite
that will generate a 302 Redirect response from the server.
Inspecting the source code, it's possible to see no input validation of newurl query string parameter is in place.
def redirector():
landing_page = request.args.get('newurl')
return redirect(landing_page, 302)The exploitation is pretty straightforward. Replay the redirection request, but at this time change the value of newurl into another URL.
Original request
http://localhost:5000/redirect?newurl=newsite
Modified request
http://localhost:5000/redirect?newurl=https://google.com
Using the payload above we will be able to successfully redirect a user to a malicious website