Google warnings about Open Redirect URLs

[djbaxter]

Open redirect URLs: Is your site being abused?
by Jason Morrison, Google Search Quality Team
Friday, January 30, 2009

Redirects being abused by spammers
We have noticed spammers going after a wide range of websites, from large well-known companies to small local government agencies. The list below is a sample of the kinds of redirect we have seen used. These are all perfectly legitimate techniques, but if they're used on your site you should watch out for abuse.

• Scripts that redirect users to a file on the server—such as a PDF document—can sometimes be vulnerable. If you use a content management system (CMS) that allows you to upload files, you might want to make sure the links go straight to the file, rather than going through a redirect. This includes any redirects you might have in the downloads section of your site.
• Systems to track clicks for affiliate programs, ad programs, or site statistics might be open as well.
• Proxy sites, though not always technically redirects, are designed to send users through to other sites and therefore can be vulnerable to this abuse. This includes those used by schools and libraries.
• In some cases, login pages will redirect users back to the page they were trying to access.
• Scripts that put up an interstitial page when users leave a site can be abused. Lots of educational, government, and large corporate web sites do this to let users know that information found on outgoing links isn't under their control.

...more

 

[djbaxter]

Google warning: is your site abused through redirects?

Google warning: is your site abused through redirects?
Axandra News
17 February 2009

How to find out if your website is abused

1. Make a site search on Google
2. Go to Google.com and search for "site:yourdomain.com". Replace yourdomain.com with your own domain name. If you see web pages that have nothing to do with your website then it's likely that someone exploits a security hole on your website.
3. Check your web server logs for URL parameters like "=http:" or "=//". If your redirection URLs get a lot of traffic, this could also be caused by spammers.
4. If you get user complaints about content or malware that you know cannot be found on your website then your website users might have seen your URL before they were redirected to the malware site.

What you can do to protect your website

1. Check the referrer. Your redirect scripts should only work if they area accessed from another web page of your website. The redirect script should not work if the user accesses the script directly or from a search engine.
2. If possible, make sure that the script can only redirect to web pages and files that are on your own websites. You could use a whitelist of allowed destination domains.
3. Use the robots.txt file of your website to exclude search engines from the redirect scripts on your website. That will make your website less attractive for hackers.
4. Add a signature or a checksum to your redirect links so that only you can use the script.

 

[kbldshmn]

We're a victim of a redirect hack. Caught it over the weekend.

 

[motivebrendan]

good stuff i just did a check on all domains and sites i have ever owned -- all good, but i will keep a better eye out for this. thanks

 

[affgem]

Thank you for the post and sharing that information on open redirect. That is really very informative.