https://github.com/peterfox/laravel-secure-redirect
https://github.com/peterfox/laravel-secure-redirect
Last synced: about 2 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/peterfox/laravel-secure-redirect
- Owner: peterfox
- Created: 2023-05-23T23:09:51.000Z (about 3 years ago)
- Default Branch: main
- Last Pushed: 2023-05-23T23:10:22.000Z (about 3 years ago)
- Last Synced: 2025-01-10T13:51:27.556Z (over 1 year ago)
- Language: PHP
- Size: 72.3 KB
- Stars: 0
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Laravel Secure Redirect Back
The purpose of this repo is to highlight how you can protect against abuse
of the `Referer` HTTP header.
# The Exploit
The exploit itself is fairly simple in that the `Referer` header of an HTTP Request can be written
to be a different domain, causing the application code to use this as the URL to redirect
to when the `back()` method is called using the `Redirector` class commonly used via the
`redirect()` helper.
The exploit helps those performing phishing style attacks where the user is on the legitimate
domain and then submits a form with invalid validation and then sends the user to a different website
which looks the same as the original, allowing the attacker to trick a user into potentially handing over
account login details for the original site or other information.
This has been documented before https://github.com/laravel/framework/issues/14642
# The Fix
To resolve this problem, there should be a quick URL check to make sure the URL is either the App URL
(`app.url` in the config) or is in a list of whitelisted domains. In this demo it's just the
App URL.
The code to change this involves overriding the `Redirector` class so the `back()` method is resolved
and that the `App/Exceptions/Handler` class overrides the `invalid()` method so that it will
avoid using the previous url as per the `UrlGenerator` class.
# Tests
Tests are provided to show the two scenarios working to block the altered `Referer` header.