What is an open redirect?
Open redirects are a web application vulnerability that allows an attacker to redirect a user to a malicious website. It can also be used to phish a user’s credentials, deliver malware, and sometimes perform XSS.
An oft used example is as follows:
https://example.com/redirect.php?url=http://attacker.com
Upon clicking this link, a victim is redirected to attacker.com. An unsuspecting user — even a technically inclined one — may hover over this link and see example.com and think all is well. Unfortunately that could be a big mistake.
What is the Microsoft Vulnerability?
Recently, Brackish testers found an open redirect in Microsoft Azure AD B2C login while manually testing web applications – this was not picked up by a scanner.
https://msrcweb.b2clogin.com/msrcweb.onmicrosoft.com/b2c_1a_multitenant_signupsignin/oauth2/v2.0/logout?post_logout_redirect_uri=https://google.com
Brackish reported this to Microsoft, but since it isn’t seen as a vulnerability unless it is combined with something else (like XSS as mentioned above), it probably won’t get fixed.
Detection
Many vulnerability scanners will detect open redirects, however an astute attacker can spot opportunities where there are query parameters such as:
?redirect=
?url=
?redir=
This is not nearly an exhaustive list.
Prevention
Web application scanners – static or dynamic – can detect some open redirects. And, as always, penetration testing can find the vulnerabilities that are hidden a little deeper.