Listen to this Post
Vulnerability Deep Dive: Bypassing `validate_redirect_url()` via Backslash Subdomain Confusion
This vulnerability resides in the `flask_security.utils.validate_redirect_url()` function, which is responsible for sanitizing the `next` parameter used in redirects after login or registration. The core issue is a logic flaw that occurs when subdomain redirects are enabled (SECURITY_REDIRECT_ALLOW_SUBDOMAINS = True). By default, this function ensures that any absolute URL provided in the `next` parameter belongs to the same network location as the application to prevent open redirects.
The bypass is achieved by inserting a backslash (\) or its URL-encoded form (%5C) into the authority (hostname) portion of the URL. For example, an attacker can craft a URL like http://evil.com\.whitelist.com` orhttp://evil.com%5C.whitelist.com`. Python’s `urllib.parse.urlsplit()` function parses the entire string `evil.com\.whitelist.com` as the netloc. Because this value ends with .whitelist.com, the `validate_redirect_url()` function incorrectly concludes that it is a valid subdomain of the whitelisted domain and permits the redirect.
The vulnerability is exploitable only when the application has `SERVER_NAME` set to a domain (e.g., whitelist.com) and `SECURITY_REDIRECT_ALLOW_SUBDOMAINS` is explicitly enabled. This issue is a variant of a previously patched bypass in Flask-Security-Too (CVE-2023-49438 / GHSA-672h-6×89-76m5), which involved backslashes in the path. The new vector exploits the authority/host portion of the URL and is exacerbated by changes in Werkzeug >=2.1.0, where `autocorrect_location_header` defaults to False, making applications more susceptible to this class of attack.
DailyCVE Form
| Field | Details |
| : | : |
| Platform | Flask-Security |
| Version | <=5.3.2 |
| Vulnerability | Open Redirect |
| Severity | Medium (6.1) |
| Date | 2023-12-26 |
| Prediction | Patch Available |
What Undercode Say
Analytics
The vulnerability is triggered by how `urllib.parse.urlsplit()` and the validation logic handle backslashes within the URL’s authority section. The following analysis demonstrates the bypass.
Vulnerable Configuration Check:
Check if the application is vulnerable by testing the validation logic. curl "http://127.0.0.1:5000/check?next=http://evil.com%5C.whitelist.com"
Expected Vulnerable Response:
{
"next": "http://evil.com%5C.whitelist.com",
"valid": true,
"parsed": {
"scheme": "http",
"netloc": "evil.com%5C.whitelist.com",
"hostname": "evil.com%5C.whitelist.com",
"path": ""
}
}
Crafting the Exploit URL:
The attacker’s goal is to create a link that appears legitimate but redirects to a malicious site.
The vulnerable endpoint that performs the redirect. curl -v "http://127.0.0.1:5000/redir?next=http://evil.com%5C.whitelist.com"
Vulnerable Behavior: The application will respond with a `302 Found` status and a `Location` header set to http://evil.com%5C.whitelist.com`.%5C
Browser Behavior: When a browser receives this redirect, it will normalize the URL. The backslash () in the authority is often treated as a separator, and the browser will ultimately navigate tohttp://evil.com/`, which is the attacker’s site.
Exploit
To exploit this vulnerability, an attacker crafts a malicious link and tricks a user into clicking it.
1. Craft the Malicious URL: The attacker creates a URL pointing to the vulnerable application’s login or register page, injecting the malicious payload into the `next` parameter.
https://vulnerable-app.com/login?next=http://evil.com%5C.whitelist.com
2. Phishing and Redirection: The user, trusting the domain (vulnerable-app.com), clicks the link. The application’s `validate_redirect_url()` function incorrectly validates the `next` parameter and issues a `302` redirect to the attacker-controlled URL.
3. Exploitation: The user’s browser follows the redirect to `http://evil.com`, which can host a phishing page that mimics the legitimate site to steal credentials or other sensitive information.
Protection
Protecting against CVE-2023-49438 requires a multi-layered approach:
1. Immediate Patching: The most effective mitigation is to upgrade to a patched version of Flask-Security. Check your package manager for the latest security updates.
Example for pip pip install --upgrade flask-security
2. Configuration Changes: If patching is not immediately possible, consider these workarounds:
Disable Subdomain Redirects: Set `SECURITY_REDIRECT_ALLOW_SUBDOMAINS = Falsein your application's configuration. This prevents the vulnerable code path from being reached.autocorrect_location_header = True
Enable Werkzeug's Autocorrect: Force Werkzeug to correct malformed location headers by setting.whitelist.com
3. Input Validation: Implement additional, application-specific validation on the `next` parameter to reject any URL containing backslashes or other unusual characters.
<h2 style="color: blue;">Impact</h2>
- Phishing Attacks: An attacker can create a link that appears to originate from a trusted domain () but redirects the user to a malicious site (evil.com`).
– Credential Theft: The malicious site can be a convincing replica of the legitimate login page, designed to steal user credentials.
– Bypass of Security Controls: The vulnerability allows an attacker to bypass the application’s built-in redirect validation, undermining a key security control.
– Widespread Applicability: The issue affects all versions of Flask-Security-Too up to 5.3.2 and is exacerbated by newer versions of Werkzeug, increasing the attack surface.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
