Open Redirect Lab 2 - HTTP Headers

Difficulty: Low

Lab Overview

This lab demonstrates open redirect vulnerabilities that occur when applications trust HTTP headers like Referer, X-Forwarded-For, or custom headers for redirect functionality.

Objective: Test header-based redirects and understand how HTTP headers can be exploited for open redirect attacks.

Backend Source Code

// Check various headers that might contain redirect URLs
if (isset($_SERVER['HTTP_REFERER']) && !empty($_SERVER['HTTP_REFERER'])) {
    $redirect_url = $_SERVER['HTTP_REFERER'];
} elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && !empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
    $redirect_url = $_SERVER['HTTP_X_FORWARDED_FOR'];
} elseif (isset($_GET['return_url'])) {
    $redirect_url = $_GET['return_url'];
}

if (!empty($redirect_url)) {
    // Vulnerable: Using header values without validation
    header("Location: " . $redirect_url);
    exit();
}

Test Input Form

This form uses the return_url parameter. To test header-based redirects, use tools like curl or browser developer tools to modify headers.

Current Headers

HTTP_REFERER:

Not set

X-Forwarded-For:

Not set

User-Agent:

Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko;...

Vulnerability Details

Type: Open Redirect via HTTP Headers
Severity: Medium
Sources: HTTP_REFERER, X-Forwarded-For, return_url parameter
Method: Header manipulation
Issue: Trusting unvalidated header values for redirects

Test Payloads

Use these methods to test the vulnerability:

Method 1: Referer Header

curl -H "Referer: https://evil.com" "http://localhost/redirect/2.php"

Method 2: X-Forwarded-For Header

curl -H "X-Forwarded-For: https://evil.com" "http://localhost/redirect/2.php"

Method 3: return_url Parameter

?return_url=https://evil.com

Attack Scenarios

CSRF attacks by manipulating Referer headers
Bypassing security controls through header injection
Social engineering attacks using trusted domains
Session fixation attacks

Mitigation Strategies

Never trust HTTP headers for redirect URLs
Implement strict whitelist validation for all redirect sources
Use server-side session storage for redirect URLs
Validate and sanitize all user inputs, including headers
Consider using CSRF tokens for redirect functionality