📢 Attention Salesforce Certified Trailblazers! Maintain your credentials and link your Trailhead and Webassessor accounts by April 19th. Learn more.
close

Learn Standard Open Redirect Preventions

Learning Objectives

After completing this unit, you'll be able to:
  • List the four redirect parameters covered under standard redirect protection.
  • Identify cases where the default Salesforce Open Redirect protection fails in custom applications.

Salesforce Uses Redirects Safely

As we saw before in the previous unit, redirects are standard application functionality utilized by many developers. Even the core Salesforce product itself includes redirects in the application; you might be familiar with them.

Parameter Usage
startURL Used to redirect users to a location on page load
retURL Used to redirect users to a location when they click the Back button
saveURL Used to redirect users to a location when they click the Save button
cancelURL Used to redirect users to a location when they click the Cancel button

Explore Salesforce Redirects

In the previous unit, we learned that when these parameters are exposed to users they’re potentially vulnerable to an open redirect attack. So is Salesforce vulnerable? Let’s find out.
  1. Log in to your Kingdom Management developer org and select the Open Redirect app.
  2. Click the Standard Redirect Protections Demo tab.
  3. Click one of the internal redirect links.
    You are redirected to a standard salesforce record edit page. This page makes use of the retURL parameter mentioned above to handle redirections.
  4. Click Save.

    You’ll notice that it works as expected—the application redirects you back to the tab that you were previously on when you select Save.

  5. Back on the Standard Redirect Protections Demo tab, this time, try clicking one of the external redirect links. The app will attempt to redirect you to the same edit page as before, however this time we’ve set the value of retURL to be a link to a externally hosted video.

    You’ll see an error message like the one below. Redirect Fail

    What’s happening here? Why didn’t the standard page accept the external redirect parameter value? This is part of the default Salesforce open redirect protection coming into play. By default on all standard pages, Salesforce blocks external redirects.

  6. Try editing the value of retURL in your address bar to different parameter values like https://www.google.com and https://www.salesforce.com.

    You’ll notice that when you try https://www.salesforce.com the error message goes away. This protection is designed to safely redirect only to domains located within the *.salesforce.com, *.visual.force.com, and *.content.force.com space. Anything else returns an error message. You can explore this behavior by trying different URLs to see which trigger the error message.

Salesforce Standard Protections in Custom Visualforce/Apex

In the Kingdom Management developer org, there is a custom application that you’ve used to display and enable users to edit supply requisitions for transferring supplies to different castles. After the user edits the record, they click Save to be redirected back to their home page. Below is the code used by the application for this functionality.

Visualforce:
<apex:commandButton action="{!save}" value="Save"/>
Apex:
	public PageReference save(){
		PageReference savePage;
		if (Schema.SObjectType.Requisition__c.isUpdateable()){
			try{
                update requisitions;
                String onsave = ApexPages.currentPage().getParameters().get('retURL');
                onSave = (onSave == NULL) ? '/home/home.jsp' : onSave;
                savePage = new PageReference(onSave);
                savePage.setRedirect(true);
                return savePage;
			}catch (exception e){
                ApexPages.addmessage(new ApexPages.message(ApexPages.severity.ERROR, 'Unable to update requisitions.  Exception: ' + e.getMessage()));
                return null;
			} 
		}else{
            ApexPages.addmessage(new ApexPages.message(ApexPages.severity.ERROR, 'You do not have permission to update requisitions'));
            return null;
		}
	}

As you can see, when a user clicks Save in the Visualforce page, it calls the save function in Apex. The save function gets the value of the retURL URL parameter and performs a redirection to the target page. We saw this anti-pattern of utilizing the URL parameter before when we were demoing open redirect attacks. But if we’re using the default Salesforce redirection parameters, are we safe now? Let’s find out.

  1. In your Kingdom Management developer org, navigate to the Open Redirect application from the app picker.
  2. Select the Visualforce Anti-Protections Demo tab.
  3. Modify the retURL parameter in the URL bar to change it from /home/home.jsp to an external URL like https://www.google.com and submit the page.

    An error message appears, preventing you from storing an external URL.

  4. Try again, but this time change the case on the retURL parameter from retURL to returl. Your new URL should look something like: https://c.[yourinstance].visual.force.com/apex/visualforce_anti_protections_demo?returl=https%3A%2F%2Fwww.google.com
  5. Click the Save button at the bottom of the page.

    Oh no, the redirection still happened! Why did this work?

Unfortunately, the default redirection protections for Salesforce standard pages aren’t fully extended to custom Visualforce and Apex. By default, Salesforce provides a basic redirection protection for the standard redirect parameters: retURL, startURL, cancelURL, and saveURL. However, this protection is case-sensitive; if you change retURL to returl, the platform doesn’t recognize the parameter.

If you’re familiar with Apex, you may know that Apex is case INSENSITIVE. Go back to our Apex code when we parse the retURL parameter.

	String onsave = ApexPages.currentPage().getParameters().get('retURL');

This line of code accepts any combination of upper and lowercase of that value (for example, retURL, RETURL, returl, rETurl). So any attacker who is familiar with the platform simply needs to change the case of your redirection parameter to bypass any default protections in place by the platform.

This is an important concept that many developers miss. While the platform uses these redirection parameters safely on standard pages, many developers think they can also use them and be extended the same protections in their code. However, as we demonstrated, that is not the case.

As a result, if you’re doing redirections anywhere in your code where the destination is exposed to the user (like in a URL parameter or a form field) you must put in an additional layer of protection in your code. In the next unit, you’ll walk through and learn different strategies for accomplishing this.

Resources

Open Web Application Security Project (OWASP) - Open Redirect

Open Web Application Security Project (OWASP) - Open Redirect Cheat Sheet

Flower icon used to indicate that the content is for Salesforce Classic

Remember, this module is meant for Salesforce Classic. When you launch your hands-on org, switch to Salesforce Classic to complete this challenge.

retargeting