A redirect automatically sends website’s visitors to some different location or URL; redirection could be either at different location within the same site or a new site or webpage.

Unsecure redirection and forwarding are the outcomes when a web application accepts untrusted inputs that could cause the web application to redirect the request to a URL contained within untrusted/Unvalidated input, we can also call this type of redirection as Unvalidated Redirection.

We are demonstrating the actual concept and types of redirection through a PHP code running under apache server on a local machine running kali Linux. We can also use wamp or xampp server for windows machine to run and execute these codes. For executing our redirection scripts, put the codes in /var/www/html directory: This is the directory pointing to localhost (in our case).

References

 http://php.net/manual/en/function.header.php

https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet

Basic Redirection

On browser type localhost/redirect/home.php

Hover on Redirect Link, pointing to redirection page (re.php). We can see the redirection on clear text format below. (As shown in the figure below). 

When we click on this link, we will be redirected to http://www.hackingarticles.in, as we have coded in our redirection script (re.php).

This is the basic redirection where we are simply redirecting the users from one page to another page through php scripts without considering any security measures in account. The further encoding parameters of redirection are explained below.

URL Encoding

On browser type localhost/hex/home.php (page where we have our scripts)

Hover on Redirect Link, pointing to redirection page (re.php). We can see the redirection on clear text format below.(As shown in the figure below).

Here we are using the same script for the home page but in this redirection we are using simple URL encoding where we can send our URL in URL Encoded format  and the encoded URL is being decoded through the script running on our redirected php page(re.php in this case).

WE can use any online /offline converter for calculating URL encoded value (in this example we are using http://www.meyerweb.com/)

Refer below screenshot for URL encoding.

 Right click on Redirect Link on home.php and copy link location and past the URL in new tab. If we replace the redirected URL with URL encoded value we will land on the same page.

The following is the result

HEX Encoding

Here we are converting the URL in its Hexadecimal Value using Burp suite (you can use any online/offline tool).

Single Hex encoded value of http://www.hackingarticles.in is

%68%74%74%70%3a%2f%2f%77%77%77%2e%68%61%63%6b%69%6e%67%61%72%74%69%63%6c%65%73%2e%69%6e

Right click on Redirect Link on home.php and copy link location and past the URL in new tab. If we replace the redirected URL with single hex encoded value we will land on the same page.

The following is the result

Multilevel Encoding

Here we are demonstrating the multilevel encoding where we are re-encoding the pre encoded values.

Double Hex encoded value of http://www.hackingarticles.in is

%25%36%38%25%37%34%25%37%34%25%37%30%25%33%61%25%32%66%25%32%66%25%37%37%25%37%37%25%37%37%25%32%65%25%36%38%25%36%31%25%36%33%25%36%62%25%36%39%25%36%65%25%36%37%25%36%31%25%37%32%25%37%34%25%36%39%25%36%33%25%36%63%25%36%35%25%37%33%25%32%65%25%36%39%25%36%65

Right click on Redirect Link on home.php and copy link location and past the URL in new tab. If we replace the redirected URL with double hex encoded value we will land on the same page.

The following is the result

Base 64 Encoded Redirection

On browser type http://localhost/base64/home.php

Hover on Redirect Link, pointing to redirection page (re.php). Here we are pre encoding our URL to its base 64 encoded value because of which our URL is something which can’t be understandable with naked eye .(As shown in the figure below).

 Below image shows the Base64 encoding of our URL http://www.hackingarticles.in

Base64 encoded value of http://www.hackingarticles.in is

 “aHR0cDovL3d3dy5oYWNraW5nYXJ0aWNsZXMuaW4=”

The following is the output

Author: Ankit Gupta, the Author and co-founder of this website, An Ethical Hacker, Telecom Expert, Programmer, India. He Has Found his Deepest Passion To Be Around The World Of Telecom, ISP and Ethical Hacking. Contact Here