Cutting the long story short; WashingtonPost’s official website suffers from Open URL redirect security vulnerability.
Washingtonpost.com would enable my website with either fake news of phishing link after the injection of arbitrary URL. There was a caveat and with a small URL and a Browser trick; I was able to make washingtonpost.com to redirect an unsuspecting user to my domain.
The vulnerability resides in the URL parameter named ‘next_url’ wherein an attacker can alter the redirection URL to a malicious website. This attack could be leveraged to redirect users of the website to be redirected to phishing pages or posting fake information in the name of Washington Post.
The exploit code does not work with any URL(s) since security logic / filter is in place which only permits URLs pertaining to specific domains like ‘washingtonpost.com’ and not randomly. Thus a bypass was required in order to execute the attack. Using a less known trick; the attack was successfully executed. The web-server logic checks if the parameter ‘next_url’ contains washingtonpost.com, which is insufficient check to prevent the crafted attack. Check the undermentioned URL. You should get a subscription page. After clicking on the desired subscription, you should land on my website.
Here, the payload https://email@example.com can be broken into components. Here is how any browser treats a URL:
- https:// – The protocol
- ckure.xyz – the domain (to open or access)
- @ – delimiter
- www.washingtonpost.com – the username for the domain to be accessed i.e. ckure.xyz
This vector should have been invalidated by the server but is perfectly valid as per RFC [https://tools.ietf.org/html/rfc3986] so the browser will allow this to execute and open the attacker’s domain. This URL may still look fishy. So lets us make it subtle.
Adding URL encoding to the the attackers domain name to further masquerade our attack; we have our final attack vector:
By sending this URL to a victim will redirect them to my website and make them believe the content shown. In the video, I’ve redirected to the website (under my control) where it shows that president trump has been re elected for second time (which obviously is not true).
The issue has been registered in the bug tracker program at cKure [https://ckure.xyz/bt/resources/WashintonPost_URL_Redirection.doc]
Multiple attempts were made to contact washingtonpost, but to no avail as of now (this article).
#1Day hashtag indicates that this vulnerability is known in security domain but is not fixed or patched. This is not the standard definition though; just in this blog.