Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Google open redirect
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Wed, 7 Dec 2011 21:15:17 -0800

_Open_ URL redirectors are trivially prevented by any vaguely sentient
web developer as URL redirectors have NO legitimate use from outside
one's own site so should ALWAYS be implemented with Referer checking

There are decent solutions to lock down some classes of open
redirectors (and replace others with direct linking), but "Referer"
checking isn't one of them. It has several subtle problems that render
it largely useless in real-world apps.

There are also some classes of redirection / content proxying problems
that you can't quite eliminate until you give up on offering certain
functionality to users (e.g. page translation, cached document views,
embeddable <iframe> gadgets) - and that's actually an interesting
conceptual struggle.

Apparently Google's web developers are so stubbornly unable to absorb
this simple notion that it has become company policy that officially
Google does not care about open redirectors:

  http://www.google.com/about/corporate/company/rewardprogram.html#url-redirection

I actually wrote that bit, and as far as I remember, it's not a
half-assed attempt to justify incompetence ;-)

We have a vulnerability reward program, and it's just about not paying
$500 for reports of that vulnerability - along with not paying for
many other minimal-risk problems such as path disclosure.

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]