CTF#2 Level 13

Url: http://ctf.infosecinstitute.com/ctf2/exercises/ex13-task.php

Description: Hmm, it seems that level thirteen is redirecting to this page. Why do not you analyze the redirect and search if the redirect is validated thoroughly. If not, you want to redirect to a page on a remote server and send links to people fooling them to think they are accessing a different domain.

Vulnerability: OWASP A10 Unvalidated Redirects and Forwards

Solution:

Here is the description of OWASP A10 Unvalidated Redirects and Forwards
“Applications frequently redirect users to other pages, or use internal forwards in a similar manner. Sometimes the target page is specified in an unvalidated parameter, allowing attackers to choose the destination page. Detecting unchecked redirects is easy. Look for redirects where you can set the full URL. Unchecked forwards are harder, because they target internal pages.

Railsgoat allows the redirection to the paths previously requested but for which the user did not have access. Following authentication, the user is redirected.”

Ok, let’s start the last level. First I check the source code and find interesting line:

<li><a class="exPending" href="../exercises/ex13.php?redirect=ex13-task.php">Level 13</a></li>

So the task is to redirect to another domain or url, let’s try it like ex4.

http://ctf.infosecinstitute.com/ctf2/exercises/ex13.php?redirect=http://shellnux.in

Got

 Bad Redirect Parameter

Then I try to put a case sensitive HTTP:, still got the same error, and then I omit the http:

http://ctf.infosecinstitute.com/ctf2/exercises/ex13.php?redirect=//shellnux.in

And I got a message “Congratulations, you just completed the last level. You are a true Ninja warrior now.”

lv13At last I finished the challenge, thank a lot for infosecinstitute.com for this awesome challenge, I learn a lot.:p

Resources and Tools:
1. OWASP A10 Unvalidated Redirects and Forwards – https://github.com/OWASP/railsgoat/wiki/A10-Unvalidated-Redirects-and-Forwards-%28redirect_to%29

0 comments