Tuesday, October 30, 2012

.gov redirections leading to spam: how did we get there?

You may have seen reports of an increase in .gov websites redirecting to spam or scam sites. This issue is the same as one we reported almost two years ago. Many .gov websites have open redirections that can be exploited by spammers. The example we detailed in February 2011 is actually still online, and so is the cross-site scripting (XSS) vulnerability that we found on the same page.

How did we get there?

Many websites want to warn users when they are leaving their domains. In the case of a .gov website, they want to make clear that an external domain does not carry the guarantee of being an official government website. This warning is supposed to add security for ens users. Facebook also uses a warning page because links can be added by anybody and Facebook cannot guarantee the safety of those URLs.

Why are these warning being exploited?

Spammers want clean URLs to bypass URL fitters and spam filters. They therefore use legitimate .gov websites to bypass security features. This warning may actually make the final URL look safer to the user by implying that the final URL has been linked and vetted, by the .gov website.

In the case of www.fmcsa.dot.gov (see our previous post), the user has only 10 seconds to read the warning before being redirected automatically. That's great for the spammer as no additional click is required to redirect the user to the spam/scam site.

These websites owners think they are adding additional security, but this decision is actually putting their users at risk. The assumption that leads to the abuse of open redirections is that the user seeing the warning has clicked on an external link on a page from the same .gov domain. Since the content on the .gov website is controlled, the external link has to be a safe link. The website creators did not think of spammers sending users directly to the warning page.

The fix

The fix is actually easy - make sure the assumption is right. This means the warning page should make sure that the redirection is legitimate - that the URL is one that has been approved.

There are a couple of way of ensuring that the redirection URL has been controlled:

Referrer

One way, not the most robust option, is to check the Referrer header to ensure the user comes from the same domain. This would stop user who clicked on a link in an e-mail, and spammers who use URL shorteners like bit.ly.

Whitelist

Another option is to store all 3rd-party URLs in a whitelist, and check against the list before making any redirection. This would prevent anybody from using the redirection with arbitrary URLs. The main downside to this approach is the overhead to manage this list every time an external URL is added or removed from the website.

Hash

The most common solution is to sign the URL. For example, replace http://www.fmcsa.dot.gov/redirect.asp?page=http://www.zscaler.com/ with http://www.fmcsa.dot.gov/redirect.asp?page=http://www.zscaler.com/&;hash=THE_HASH where THE_HASH = hash("http://www.zscaler.com" + secret). The URL is hashed with a secret key to prevent its replacement by a random address. This method is used by Facebook to guarantee the authenticity requests sent by Facebook to Facebook applications, for example.

The important takeaway for all webmasters is to understand that spammers will take advantage of any flaw in web applications. Be very careful with the assumptions you make.

4 comments:

fax par email said...

This page appears every time in my research results. I confirm that this proceeds from the quality of your publications. Furthermore, this page has won its place to my favorites.

prix rideaux thermiques said...

Really good post. Appreciation to my friend informed me about this website. This is so great that I add comment. This site has won its place to my bookmarks. Thanks for sharing.

cigarette electronique said...

There was a friend who has not stopped to talk to me about your page. While browsing this site, I immediately understood why talk me often. There are certainly useful information.

pret personnel said...

Thanks for these fantastic ideas. It will be more overwhelmed by the event through your site. I look forward to discovering other articles.