# Vulnerability
CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
# Summary
The login page URL can include a url parameter, and after authentication, users will be redirected to this URL. If an attacker provides a url pointing to a phishing or other malicious website, users will be redirected there after logging in.
# Details
## Taint source
`GET /bbs/login`
<img width="1610" height="1490" alt="Image" src="https://github.com/user-attachments/assets/4d2ac20b-1f26-4efc-99ba-57f03d65d5fb" />
On the login page, the view passes the url parameter from the URL to the template. When the template renders the page, it fills this url into an input field in the form. When users POST login data (i.e., POST /bbs/login), upon successful authentication, they will be redirected to the url value from the form.
<img width="804" height="1170" alt="Image" src="https://github.com/user-attachments/assets/6ad54a0c-5b33-4afb-ae1f-b31ef248728c" />
## Taint sink
`POST /bbs/login`
# POC
For example, if the BBS website is at 127.0.0.1:8000, requesting http://127.0.0.1:8000/bbs/login?url=http://google.com will cause the browser to open the Google homepage after successful authentication.
CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
# Summary
The login page URL can include a url parameter, and after authentication, users will be redirected to this URL. If an attacker provides a url pointing to a phishing or other malicious website, users will be redirected there after logging in.
# Details
## Taint source
`GET /bbs/login`
<img width="1610" height="1490" alt="Image" src="https://github.com/user-attachments/assets/4d2ac20b-1f26-4efc-99ba-57f03d65d5fb" />
On the login page, the view passes the url parameter from the URL to the template. When the template renders the page, it fills this url into an input field in the form. When users POST login data (i.e., POST /bbs/login), upon successful authentication, they will be redirected to the url value from the form.
<img width="804" height="1170" alt="Image" src="https://github.com/user-attachments/assets/6ad54a0c-5b33-4afb-ae1f-b31ef248728c" />
## Taint sink
`POST /bbs/login`
# POC
For example, if the BBS website is at 127.0.0.1:8000, requesting http://127.0.0.1:8000/bbs/login?url=http://google.com will cause the browser to open the Google homepage after successful authentication.
|
댓글을 작성하시려면 로그인이 필요합니다.
댓글 1개