Open Redirect Protection

Question

Google's Webmaster blog wrote some solution on how to prevent Open Redirect Protection abuse, I've been perplexed by some of the solutions there for quite sometime, I tried googling but found no results.

1. Change the redirect code to check the referer
2. Consider using a whitelist
3. Consider signing your redirects
4. Specifically disallow off-site redirects

My guesses on the solution:

1. Use %{HTTP­_RE­FERER} to do some checking in the url request
2. Use some regex in the url request to check if the site in the url request is within the scope of the regex
3. Can't think of any
4. Can't think of any

Please let me know if my guesses are correct, and if they're not please tell me how to do it correctly in PHP or Apache. Thanks!

Answer 1

1. correct, but this is not a reliable approach. HTTP Referrer can be manipulated.
2. Define a list of URLs which are allowed to be redirected to, compare to this list and cancel redirects to any other URL.
3. Add a salted hash of the redirect as a redirect param. Before redirecting, check that hash with the request params. If the calculated hash is the same as the hash in the request params, probably no request manipulation is made -> redirect can be executed. This prevents any redirects to be executed unless anybody guesses your hash-generation algorithm (thats why you have to salt it with a secret key).
4. Cancel all redirects which will lead to any URL that doesn't contain your website as host. This can be done with a regex as you guessed at 2.

Answer 2

An Open Redirect becomes possible when your application does a blind redirect based on user supplied content ie by POST or GET. Open Redirects are most commonly exploited by Phishing attacks.

To prevent Open Redirects, you should validate and verify any URL that you redirect to if the URL is coming from user input. It should be verified based on a whitelist.