← Back to Guides

Enhancing Security for Redirects and Rewrites

Setting up redirects and rewrites is a common task in web development. However, these configurations can accidentally become gateways for semantic attacks if they aren't handled securely.

Semantic attacks are misleading tactics where malicious hosts alter Uniform Resource Identifiers (URIs, or web addresses) to mimic trustworthy websites, leading to potential phishing incidents or data breaches. Such manipulations often exploit overlooked misconfigurations in redirects and rewrites.

To prevent such threats, it's crucial to be cautious with URI structures and implement strong security measures.

URIs are fundamental for locating web resources.

One of its subcomponents, userinfo, is located before the host within the authority section. It was historically meant for user credentials, but its use is now discouraged due to the security risks it poses. Misusing the userinfo component can make a URI appear legitimate while it points to a malicious host.

What are Semantic Attacks?

Semantic Attacks are attacks in which malicious hosts exploit the URIs to mislead users. They tweak a part of the URI, creating a disguise that leads users to believe they are interacting with a trusted site, while they're actually on a malicious one.

This deception can lead to harmful activities like phishing scams or data theft. The stealthiness of semantic attacks emphasizes the importance of being cautious when dealing with URIs and putting strong security measures in place for redirects and rewrites to prevent them.

There are a few semantic attack vectors to keep in mind.

userinfo Deception

This configuration allows an attacker to craft a URL by appending a deceptive parameter that includes a malicious site's domain, exploiting the lack of input validation to perform a semantic attack.

rewrites

If a user inputs foo@evil.com/ as their id, a URL like https://foo@evil.com/.example.com/ could be constructed. This is an issue since a RFC-compliant URL parser would interpret the URL as a request to https://evil.com/.example.com/, potentially allowing an attacker to exploit the functionality to rewrite the request to the attacker's server via a legitimate customer domain. The attacker will then be able to return any content on this customer domain, which can be used to establish XSS attacks or steal user credentials.

next.config.json
// ❌ Vulnerable 
{
  "rewrites": [
    {
      "source": "/user/:id*",
      "destination": "https://:id.example.com/"
    }
  ]
}


// ✅ Not vulnerable 
{
  "rewrites": [
    {
      "source": "/user/:id(\\d+)",
      "destination": "https://:id.example.com/"
    }
  ]
}

To counter this, we need to enforce precise pattern restrictions in our URI parameters. In this pattern, \\d+ assures that the id can only be made up of digits, effectively neutralizing the attack vector by preventing alphabetic or special characters like @.

redirects

When a web application’s redirect rules don't properly validate subdomain inputs, attackers can exploit this to turn legitimate domains into open redirectors. The primary concern with this vulnerability is that it abuses the trust in a legitimate domain.

A legitimate website can have a configuration that allows for dynamic subdomains.

next.config.json
// ❌ Vulnerable
{
  "redirects": [
    {
      "source": "/user/:id*",
      "destination": "https://:id.example.com/"
    }
  ]
}

An attacker can use this behavior to craft a URL that appends their malicious domain to the expected subdomain pattern, for example, https://example.com/user/foo@evil.com/.

If a user inputs foo@evil.com/ as their id, a URL like https://foo@evil.com/.example.com/ could be constructed. As explained in the above section, this is interpreted as a request to https://evil.com/.example.com/ by a parser, and the resulting HTTP redirect response would contain the link to the attacker’s website.

The attacker may use this to send out spam emails containing such a crafted URL that redirects users to a malicious site, as the email recipients see the trusted domain example.com and assume the link is safe, even though it’s not! The attacker can then execute phishing schemes, steal credentials, or distribute malware.

By setting up strict matching patterns, you can prevent such attacks.

next.config.json
// ✅ Not vulnerable 
{
  "redirects": [
    {
      "source": "/user/:id(\\d+)",
      "destination": "https://:id.example.com/"
    }
  ]
}

Conclusion

As we've seen, setting up redirects and rewrites can come with inherent security risks. If not properly addressed, these can serve as a vector for semantic attacks.

Developers must implement strict security measures that go beyond simple pattern matching to mitigate those risks, which includes:

  • Enforcing precise regex patterns
  • Ensuring proper input validation
  • Following the principle of least privilege in URL parameters
  • Establishing a strong security culture
  • Frequently conducting security audits
  • Changing settings when new threats surface

Enforcing these measures helps to not only safeguard our systems and data, but also to retain user trust.

Couldn't find the guide you need?