Vulnerability in Details : ==================== Introduction : An open redirect it's a function in your application which sends the user to some other location. The redirect could be a response from the server, such as an HTTP 301 or 302 response code, or a META redirect. The redirect can be delivered in several forms, the important part is that when an attacker can control the redirect location, they can exploit it for nefarious purposes - usually this means spam or phishing attacks. Analysis : ==================== After applying some tests on many google services i have found an Open redirect flaw ,this is a particularly disturbing form of abuse because it takes advantage of your site's functionality, which can be exploited by an attacker for bad purposes, i found this weakness exactly by tracking url redirection in google search engine that intentionally provide redirects to arbitrary URLs. Initially I thought it was a normal operation and secured from any exploitation of this kind through the validation of any parameter value and containing only an allowed destination for each use (redirect). I Looked at the parameters supplied prior to the redirect to see if they appear to be a target URL or a piece of such a URL ,so I changed the URL target and I observed whether the site don't redirects to the new target, I checked all parameters to see if they look like part of a redirect but some of these parameters are not important in this operation (i.e "&bvm""&esrc=""web&cd=" ) then I converted to the following URL form : [ http://www.google.com/url?sa=t&rct=&url=http//www.example.com&ei=&usg="AFQjCNxxxx" ] Consequently I examined several forms of redirection url, therefore I understood very well how google redirects users to a target website , i tried also the redirection in Google + but it was secured by showing a message ===>( redirecting you to www.example.com ). However, the only problem I encountered was that I could not reach a static value of "&usg" variable in order to be used on all websites and the target pages is specified in a validated parameter, but after i realized that each URL has a static parameter wich validate the redirection every time of this operation. So I tested on a large number of urls and redirection was successful and validation hash was constant for each URL . Where the risk lies in this situation ? ============================== the issue that I have noticed here that the attacker can in any situation handle the validation hash by simple trace of his website on google search engine and replace the hash value after the parameter "&usg={Specified hash}" in the URL form that i already mentionned before. and directly the redirection will be done luckily ,then the phisher inks to a redirect and tricks victims into clicking it by different methods. So i push you to consider anyone who can trick your users into submitting a request to your website that it is a dangerous case. Remark : I want just to bear in mind dear security team that this weakness is really difficult to discover, moreover it's simple to trick a usual user and also some users from the security community, besides it's awkward to remark that it is a crafted link especially when using URL shortening websites. I have tried on a sample of people, -using a safe content- through (Gmail/Google+/...) and everytime phishing attempts have a more trustworthy appearance. - The phisher may also use obfuscation techniques to avoid link detection by the victim for example converting the link and make it more complex to unmask the content: http://www.google.com/url?sa=t&rct=&url=http://www.example.com/&usg="parameter value for definite website" into this link : http://www.google.com/url?sa=t&rct=&url=http://%77%77%77%2E%65%78%61%6D%70%6C%65%2E%63%6F%6D&usg="parameter value for definite website" using a hexadecimal equivalent and different methods of URL-Encoding and IP Obfuscation too. Proposal Solutions : ================= #1- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax -Implement a long timeout before the redirect occurs, or force the user to click on the link ,when some parameters are not in right places. #2- Generate validation hash value and handle URLs containing specific parameters each time of use or from one to another IP. Perform very difficult forms of URLs that is hard to use by an attacker through including various query strings parameters using private google encryption that is complex to guess by a phisher. -Use a whitelist of approved URLs or domains to be used for redirection also implement a SafeRedirect() function and provide an example of alerts when detecting some unusual activities. -Allow redirects directly (in google search engine) without showing the URL which will do this operation.