Open Redirect Lab 3

JavaScript-based Redirect

Difficulty: Medium

Lab Overview

This lab demonstrates open redirect vulnerabilities that occur when JavaScript is used for redirects without proper validation of the target URL.

Objective: Test JavaScript-based redirects and understand how client-side redirects can be exploited.

Backend Source Code

$redirect_url = $_GET['url'] ?? '';
$delay = $_GET['delay'] ?? 3;

// Vulnerable: No validation of the redirect URL
// JavaScript will execute:
// setTimeout(function() {
//     window.location = "$redirect_url";
// }, $delay * 1000);

Test Input Form

Vulnerability Details

Type: JavaScript-based Open Redirect
Severity: Medium
Parameters: url, delay
Method: JavaScript window.location
Issue: Client-side redirect without URL validation

Test Payloads

Try these URLs to test the vulnerability:

?url=https://evil.com&delay=1
?url=//evil.com&delay=2
?url=javascript:alert('XSS')&delay=1
?url=data:text/html,&delay=1
?url=ftp://evil.com&delay=3
?url=file:///etc/passwd&delay=2

Attack Scenarios

Phishing attacks with delayed redirects to appear more legitimate
XSS attacks through javascript: protocol
File access through file: protocol
Bypassing client-side security controls
Social engineering with fake loading messages

Mitigation Strategies

Validate redirect URLs on the server-side before outputting to JavaScript
Use a whitelist of allowed domains for redirects
Implement Content Security Policy (CSP) to prevent javascript: protocol
Sanitize and encode user input before using in JavaScript
Consider using server-side redirects instead of client-side