CVE-2024-21723 - Inadequate URL Parsing Leads to Open Redirect Vulnerability

Published: June 2024
Severity: Medium
CWE-ID: CWE-601 (URL Redirection to Untrusted Site (‘Open Redirect’))

Overview

CVE-2024-21723 is a security vulnerability discovered in how certain web applications parse URLs. When a web app does not properly validate or sanitize URLs used for redirection, this flaw can allow attackers to redirect users to malicious websites. Open redirects are often used in phishing attacks, as the user clicks a trusted link but gets sent to a dangerous site.

What Is an Open Redirect?

An open redirect happens when a web application accepts user input (such as a URL) and then sends users to that URL without validation. A typical use case may be redirecting the user to a page after login (/login?next=/dashboard), but if this parameter isn’t checked properly, attackers can use it for evil:

- Phishing: Send emails with links to legitimate-looking websites that actually redirect to a fake page.
- Information Leakage: Allow attackers to exploit the trust of the original website to trick users.

What Went Wrong?

CVE-2024-21723 was caused by inadequate parsing of URLs sent in query parameters or HTTP headers. The following sections explain how this happens and provide real code snippets.

Here’s a simple Python/Flask example that demonstrates the issue

from flask import Flask, request, redirect

app = Flask(__name__)

@app.route('/go')
def go():
    url = request.args.get('url')
    return redirect(url)

What’s wrong?
The code simply takes the url parameter from the query string (e.g., /go?url=https://evil.com) and redirects to it. There is no validation to check if the URL points to a trusted domain.

Attack Example

A phishing email could include:
https://trustedsite.com/go?url=https://phishingsite.com

Victims click on the trusted website but end up on a malicious one.

Here’s how an attacker would exploit this vulnerability

1. Identify vulnerable endpoint: /go?url=[some_url]

`

https://trusted.com/go?url=https://evil.com

`

3. Send to victim: User clicks expecting a safe redirect but gets sent to a phishing or malware site.

Technical Details

- Parsing Flaw: The application fails to check for a “safe” domain or restricts only to relative paths, allowing full external URLs.
- No Sanitization: No logic filters or rewrites global URLs; all URLs are treated as equally valid.

Here’s a snippet in Node.js/Express that shows the same vulnerability

app.get('/redirect', function(req, res) {
    const url = req.query.url;
    res.redirect(url);
});

Correct Secure Implementation

To patch CVE-2024-21723, always validate redirection targets.

Python Example: Only allow on-site redirects

from flask import Flask, request, redirect, url_for

app = Flask(__name__)

@app.route('/go')
def go():
    target = request.args.get('url')
    # Only allow internal redirects
    if target and target.startswith('/'):
        return redirect(target)
    else:
        return redirect(url_for('home'))

Even better:
Explicitly whitelist allowed domains or use a mapping table for “safe” targets.

Resources and References

- CVE-2024-21723 on NVD (National Vulnerability Database)
- OWASP Open Redirect (Unvalidated Redirects and Forwards)
- CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
- Flask redirect documentation
- How to Prevent Open Redirect Vulnerabilities

Summary

CVE-2024-21723 is a classic example of why URL validation matters!
Never trust user input for redirects. Don’t let inadequate parsing make your users vulnerable to phishing and cyber attacks.

Timeline

Published on: 02/29/2024 01:44:03 UTC
Last modified on: 12/02/2024 16:15:08 UTC