URL Redirection attack with ‘Refresh’ header

May 21

During a recent security assessment I’ve noticed a situation where the user input is directly inserting into the response headers. It is obviously suspicious as the input is directly reflecting in the response. Cross site scripting attack doest not work here as the input is reflecting in the response headers not in the body. Tried response splitting attack, it did not work too as the application is validating the CR LF characters. Location header got inserted perfectly but the browser didn’t redirect the user to a new location as the response code is 200 ok. Browser automatically redirects the user only on 302 response code. So what we need here is an attribute to a Location header which would automatically redirect the browser to the specified website. Thinking for a while gave me an idea of using meta refresh tags. Meta refresh tag works similar to location header except that in refresh header we can specify the browser refresh time.

So inserting Refresh=0; url= as the input, reflected in the response header and automatically redirected the user to a third party website

HTTP/1.1 200 OK
Refresh: 0; url=


Posted by on May 21, 2012 in web application hacking


Tags: , , ,

3 responses to “URL Redirection attack with ‘Refresh’ header

  1. Joanie War

    August 3, 2012 at 3:47 pm

    What’s Happening i’m new to this, I stumbled upon this I have found It positively helpful and it has helped me out loads. I hope to contribute & aid other users like its aided me. Good job.

  2. Rajeev Mishra

    February 18, 2013 at 1:12 pm

    Its a URL Redirection because of improper sanitization of intake user input in the response Location Header from the application. At basic Level It would be a case of Response Splitting (if application doesn’t validate CR-LF injection) and if it is there it would be a case of URL Redirection.

    Please comment..

    • satishb3

      February 18, 2013 at 9:27 pm

      yes that is right. It is filtering CR LF that is the reason it ended up as URL redirection.