📢 Attention Salesforce Certified Trailblazers! Maintain your credentials and link your Trailhead and Webassessor accounts by April 19th. Learn more.
close

Learn About Open Redirects

Flower icon used to indicate that the content is for Salesforce Classic

Attention, Trailblazer!

Salesforce has two different desktop user interfaces: Lightning Experience and Salesforce Classic. This module is designed for Salesforce Classic.

You can learn about switching between interfaces, enabling Lightning Experience, and more in the Lightning Experience Basics module here on Trailhead.

Learning Objectives

After completing this unit, you'll be able to:
  • Explain what an open redirect vulnerability is.
  • Identify this vulnerability in your application.
  • Describe the impact of open redirect vulnerabilities to your users.

What Is Open Redirect?

URL redirects automatically send a user to a different web page. They’re often used to guide navigation to a website or to enable multiple domain names belonging to the same owner to refer to a single website. Unfortunately for developers, attackers can exploit URL redirects if they aren’t implemented properly.

Open redirect (also known as “arbitrary redirect”) is a common web application vulnerability where values that are controlled by the user determine where the app redirects. Here’s an example of a vulnerable application.

https://www.vulnerable-site.com?startURL=https://www.good-site.com

In this URL, the vulnerable-site.com application should automatically redirect the user to www.good-site.com as the page loads. Seems pretty reasonable, right? However, what if an attacker changes the URL to this?

https://www.vulnerable-site.com?startURL=https://www.evil-hacker.com

This time, the application redirects the user to evil-hacker.com instead of good-site.com.

Are your Salesforce applications vulnerable to open redirects? Let’s take a closer look at this vulnerability and how you can address it in your own apps.

Tip

Tip

Stop! If you haven’t completed the Injection Vulnerability Prevention module, please go there first. You’ll need to sign up for a special Developer Edition org, which is configured with vulnerable code for you to practice with, before you can do this module.

How Open Redirect Can Occur

As the lead Apex developer for the Kingdom Management app, you’ve created a custom page for tracking supply requests for your different castles. When a user edits a supply request, and clicks Save or Cancel, you want to redirect the user to a menu page within the application. This is a common web app design pattern. To accomplish this, you wrote the following Visualforce and Apex code.

Visualforce:
<apex:commandButton action="{!save}" value="Save"/>
Apex:
public PageReference save(){
	update accounts;
	String onsave = ApexPages.currentPage().getParameters().get('onSave');
	PageReference savePage = new PageReference(onSave);
	savePage.setRedirect(true);
	return savePage;
}

A user who clicks Save is taken to the URL stored in the parameter onSave. Take a look at the code and test the functionality in your demo environment.

  1. In your Kingdom Management developer org, navigate to the Open Redirect application from the app picker.
  2. Select the Open Redirect Basics Demo tab.
  3. You’ll notice the onSave URL parameter is populated with the menu URL (https://[your_instance].visual.force.com/apex/open_redirect_basics_demo?onCancel=%2Fhome%2Fhome.jsp&;onSave=%2Fhome%2Fhome.jsp&tsid=02uf4000000rGfu).
  4. Now edit one of the accounts, and click Save.
  5. You’ll see that you are redirected to the URL that was stored in the onSave URL parameter (that is,/home/home.jsp).
The code accomplishes exactly what you intended. Where’s the vulnerability?

How Attackers Exploit Application Redirects

While the redirect satisfies your requirements, it leaves unsuspecting users of your app vulnerable, because a user can modify the request to dictate the destination of the redirect. So based on what we learned above, it sounds like your application is vulnerable to open redirect.

You can see how easy it is to exploit this vulnerability in the Kingdom Management developer org!

  1. Navigate to the Open Redirect application from the app picker.
  2. Select the Open Redirect Basics Demo tab.
  3. Locate the onSave URL parameter.
  4. Replace the URL listed there with this URL to a Rick Astley music video: “https://www.youtube.com/watch?v=dQw4w9WgXcQ”
  5. The URL should look like this: /apex/open_redirect_basics_demo?onSave=https://www.youtube.com/watch?v=dQw4w9WgXcQ
  6. Now let’s test the results of the open redirect attack. Hit enter to submit the page, or load the URL:
    /apex/open_redirect_basics_demo?onSave=https://www.youtube.com/watch?v=dQw4w9WgXcQ

    Because your demo environment could be on a different instance from ours, your URL looks similar to this, but not identical: https://c.na3.visual.force.com/apex/open_redirect_basics_demo?onSave=https://www.youtube.com/watch?p=dQw4w9WgXcQ

  7. Edit an Account and click Save.
  8. If you end on the Rick Astley video, the attack was successful.
You can use this page to explore the open redirect functionality and code further (Hint: The Cancel button also has an open redirect problem, see if you can spot it!).

The Impact of Open Redirect

As you can see, it’s easy to accidentally introduce an open redirect vulnerability in your code. However, this vulnerability might not seem as serious as other types of web application vulnerabilities (silly videos don’t appear to cause much harm). Some developers will even argue that open redirect isn’t a vulnerability at all. Instead, it’s a feature that works as designed.

But consider how a criminal hacker might take advantage of this sort of vulnerability. Trudy, a hacker who has targeted Kingdom Management’s users, wants to steal credentials (usernames and passwords) so she can try and break into your customer’s Salesforce accounts. Can she use open redirect to accomplish this?

The answer is, unfortunately, yes. Let’s see how.

Trudy utilizes the onSave redirection functionality, just like you did in the Open Redirect demo. However, instead of redirecting to a video, Trudy modifies the URL parameter to redirect users to her own website. Suppose the user clicks Save and is redirected to a login page that looks like this:

Attacker Open Redirect Login Screen

Trudy has styled attackerwebsite.com to look like the Salesforce login page you see when your session expires. If users don’t pay attention to the URL bar, they might enter their credentials into this fake login screen, sending their username and password directly to Trudy. This type of attack is commonly called “phishing.” Open redirects are a favored tool in phishing because they enable an attacker to exploit the faith users have in a redirect performed by an application they trust.

As you’ll see in the next unit, Salesforce takes this type of threat seriously and protects users from open redirect on standard pages.

Resources

Open Web Application Security Project (OWASP) - Open Redirect

Open Web Application Security Project (OWASP) - Open Redirect Cheat Sheet

Flower icon used to indicate that the content is for Salesforce Classic

Remember, this module is meant for Salesforce Classic. When you launch your hands-on org, switch to Salesforce Classic to complete this challenge.

retargeting