logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Uncontrolled external site redirect - Host Header Injection - Ruby

Need

Prevention of uncontrolled external site redirects

Context

  1. Usage of Ruby for scripting and web development
  2. Usage of ActionController for handling actions and routing in a Ruby on Rails application

Description

Insecure Code Example

class ApplicationController < ActionController::Base
  def redirect
    redirect_to params[:url]
  end
end

In the above code snippet, the `redirect` method in `ApplicationController` is vulnerable to Host Header Injection. This is because it uses the `params[:url]` directly from the request to redirect the user. This parameter can be manipulated by an attacker to redirect users to malicious websites. This vulnerability is known as Uncontrolled External Site Redirect or Open Redirect. It allows an attacker to craft a URL with a different `Host` header that points to a malicious website. When the user clicks on this link, they are redirected to the attacker's website instead of the expected location. In the context of a Ruby on Rails application, this can lead to serious security issues as the attacker can use this vulnerability to steal sensitive information such as session cookies or perform phishing attacks.

Steps

  1. Validate and sanitize the input received in the 'url' parameter to prevent any malicious input.
  2. Implement a whitelist of allowed redirect destinations to restrict the redirection to trusted domains only.
  3. Use a safe redirect method provided by the framework that automatically handles the Host header, such as 'redirect_back' or 'redirect_to' with a specific route or path.
  4. Avoid using user-supplied input directly in the redirect URL. Instead, use a separate variable or construct the URL using a trusted source.
  5. Implement proper input validation and sanitization throughout the application to prevent other types of injection attacks.

Secure Code Example

class ApplicationController < ActionController::Base
  def redirect
    url = params[:url]
    if url.present? && valid_url?(url)
      redirect_to url
    else
      redirect_to root_path
    end
  end

  private

  def valid_url?(url)
    allowed_domains = ['www.trusteddomain1.com', 'www.trusteddomain2.com']
    uri = URI.parse(url)
    allowed_domains.include?(uri.host)
  rescue URI::InvalidURIError
    false
  end
end

The updated code includes a new method `valid_url?` that checks if the URL is part of a whitelist of allowed domains. This method is used in the `redirect` action to validate the `url` parameter before redirecting to it. If the URL is not valid or not present, the user is redirected to the root path of the application. The `valid_url?` method uses the `URI.parse` method to parse the URL and extract the host. It then checks if this host is included in the `allowed_domains` array. If the URL is not valid or its host is not in the allowed domains, the method returns `false`. This approach ensures that the application only redirects to trusted domains, preventing Host Header Injection attacks. It also provides a fallback redirect to the root path of the application in case the `url` parameter is not present or not valid. This improves the robustness of the application and enhances its security.

References

  • 023 - Uncontrolled external site redirect - Host Header Injection

    • Last updated

    2023/09/18