Marsh Ray <ma...@extendedsubset.com> wrote: > > But now if we successfully convince every developer on the planet to > > stop using HTTP redirection, that doesn't change that the user doesnt > > know how to determine if the URL is trusted or not, so we just use one > > of dozens of other simple tricks. > > > > Surely the correct solution is to educate those users who are doing it > > incorrectly. > > I am in complete agreement with you. > > Let's say you are a bank that has just invested in a successful > anti-phishing user education campaign. All the users have been trained to > look beneath the HTML in emails, not to accept invalid SSL certificates, > and only follow "legitimate" links that look like: > > https://*.examplebank.com/ > > At that point an open redirect is found under your site, such that > https://onlinebanking.examplebank.com/confirm.aspx?customerid=1234&return=http%3a%2f%2fpwn%2ely > drives the browser to the attacker's phishing site. > > Does this represent a vulnerability? > > - Marsh
So they've trained their users to parse and understand html, can decode complex documents manually, and understand the difference between anchor text and destination. They can decipher complex URLs using any of the obscure syntax supported, and understand the heirarchichal nature of the domain name system. They've also learned how to verify SSL certificates without clicking on links (perhaps using openssl s_client?). Bizarrely, they've also been convinced to never read the address bar (which is really all they needed to do from the start instead of the hours of training requiring them to reach this level). Then yes, you have a vulnerability. However, it's in the criminally negligent training material provided by the bank :-) Tavis. -- ------------------------------------- tav...@cmpxchg8b.com | pgp encrypted mail preferred ------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/