| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 8 Dec 2011 01:05:10 -0500
From: Luis Santana <hacktalkblog@...il.com>
To: Michal Zalewski <lcamtuf@...edump.cx>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Google open redirect
As for minimal risk I personally don't agree. I have leveraged Unvalidated
URL Redirections in the past to attack clients of sites all the time. It's
highly trivial to point to a site with a metasploit browser bug patiently
waiting and amass quite a large number of sessions in a short period of
time should your spam campaign be efficient and actually draw users to the
vulnerable site.
Just like with XSS, being able to drive clients from one site to another is
a huge security risk, not for the company, but for the clients of that
company which will quickly point fingers at the company for putting them at
risk in the first place and while I agree that the researcher shouldn't get
paid the full 500 bucks some sort of compensation for keeping Google's ass
out of the fire should be presented to the researcher; even if it's just a
friggen $100 Adwords coupon to help the researcher drive traffic to their
site at the very least.
In the end, until someone leverages one of these vulnerabilities in a large
company and pisses off a lot of clients and causes the media to go after
the company, I don't see many product vendors or large websites giving two
shits about vulnerabilities such as this which is both sad and a fact of
life.
Cheers,
connection
HackTalk Security - Security From The Underground
On Thu, Dec 8, 2011 at 12:15 AM, Michal Zalewski <lcamtuf@...edump.cx>wrote:
> > _Open_ URL redirectors are trivially prevented by any vaguely sentient
> > web developer as URL redirectors have NO legitimate use from outside
> > one's own site so should ALWAYS be implemented with Referer checking
>
> There are decent solutions to lock down some classes of open
> redirectors (and replace others with direct linking), but "Referer"
> checking isn't one of them. It has several subtle problems that render
> it largely useless in real-world apps.
>
> There are also some classes of redirection / content proxying problems
> that you can't quite eliminate until you give up on offering certain
> functionality to users (e.g. page translation, cached document views,
> embeddable <iframe> gadgets) - and that's actually an interesting
> conceptual struggle.
>
> > Apparently Google's web developers are so stubbornly unable to absorb
> > this simple notion that it has become company policy that officially
> > Google does not care about open redirectors:
> >
> >
> http://www.google.com/about/corporate/company/rewardprogram.html#url-redirection
>
> I actually wrote that bit, and as far as I remember, it's not a
> half-assed attempt to justify incompetence ;-)
>
> We have a vulnerability reward program, and it's just about not paying
> $500 for reports of that vulnerability - along with not paying for
> many other minimal-risk problems such as path disclosure.
>
> /mz
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists