From c7768c97dbad70189c212a04efa6b52700fbbead Mon Sep 17 00:00:00 2001 From: Kyle Martin Date: Sun, 7 Oct 2018 20:35:20 +1300 Subject: [PATCH] MINOR Prevent unsafe redirects --- README.md | 12 ++++++- sections/security/saferedirects.md | 58 ++++++++++++++++++++++++++++++ 2 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 sections/security/saferedirects.md diff --git a/README.md b/README.md index f5071667..b46adb9c 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@
- 73 items Last update: September 9th, 2018 Updated for Node 8.11.3 LTS + 74 items Last update: October 7th, 2018 Updated for Node 8.11.3 LTS

@@ -925,6 +925,16 @@ All statements above will return false if used with `===` **Otherwise:** This is just an educated guess: given many Node.js applications, if we try passing an empty JSON body to all POST requests - a handful of applications will crash. At that point, we can just repeat sending the same request to take down the applications with ease +

+ +## ![✔] 6.24. Prevent unsafe redirects + +**TL;DR:** Redirects that do not validate user input can enable attackers to launch phishing scams, steal user credentials, and perform other malicious actions. + +**Otherwise:** If an attacker discovers that you are not validating external, user-supplied input, they may exploit this vulnerability by posting specially-crafted links on forums, social media, and other public places to get users to click it. + +🔗 [**Read More: Prevent unsafe redirects**](/sections/security/saferedirects.md) +


⬆ Return to top

diff --git a/sections/security/saferedirects.md b/sections/security/saferedirects.md new file mode 100644 index 00000000..c3ebd5ab --- /dev/null +++ b/sections/security/saferedirects.md @@ -0,0 +1,58 @@ +# Prevent unsafe redirects + +### One Paragraph Explainer + +When redirects are implemented in Node.js and/or Express, it's important to perform input validation on the server-side. +If an attacker discovers that you are not validating external, user-supplied input, they may exploit this vulnerability by posting specially-crafted links on forums, social media, and other public places to get users to click it. + +Example: Unsafe express redirect using user input +```javascript +const express = require('express'); +const app = express(); + +app.get('/login', function (req, res, next) { + + if (req.session.isAuthenticated()) { + res.redirect(req.query.url); + } + +}); +``` + +The suggested fix to avoid unsafe redirects is to avoid relying on user input. If user input must be used, safe redirect whitelists can be used to avoid exposing the vulnerability. + +Example: Safe redirect whitelist +```javascript +const whitelist = { + 'https://google.com': 1 +}; + +function getValidRedirect(url) { + // check if the url starts with a single slash + if (url.match(/^\/(?!\/)/)) { + // Prepend our domain to make sure + return 'https://example.com' + url; + } + // Otherwise check against a whitelist + return whitelist[url] ? url : '/'; +} + +app.get('/login', function (req, res, next) { + + if (req.session.isAuthenticated()) { + res.redirect(getValidRedirect(req.query.url)); + } + +}); +``` + + +### What other bloggers say + +From the blog by [NodeSwat](https://blog.nodeswat.com/unvalidated-redirects-b0a2885720db): +> Fortunately the mitigation methods for this vulnerability are quite straightforward — don’t use unvalidated user input as the basis for redirect. + +From the blog by [Hailstone](https://blog.hailstone.io/how-to-prevent-unsafe-redirects-in-node-js/) +> However, if the server-side redirect logic does not validate data entering the url parameter, your users may end up on a site that looks exactly like yours (examp1e.com), but ultimately serves the needs of criminal hackers! + +