RequestBin Setup to Demonstrate Open-Redirect

RequestBin lets you inspect HTTP requests, debug webhooks, etc.   This is an open source software originally developed by a developer called @progrium.  The easiest way to set this up and run it is with Docker and Docker-compose.  Why would you want to see the HTTP requests?  The requests can be helpful to debug if certain callbacks are being made in an application or for a more penetration testing approach viewing the HTTP requests can be used to exploit an open-redirect vulnerability.  According to OWASP open redirects are "Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access."  This blog post will be instructions on how to set it up and run the RequestBin application to help assist with testing open-redirects.

First step is to install Docker on your Kali machine.  All information is pulled from the following guide:

curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
echo 'deb https://download.docker.com/linux/debian stretch stable' > /etc/apt/sources.list.d/docker.list
apt-get update
apt-get remove docker docker-engine docker.io
apt-get install docker-ce

Now we must setup Docker-Compose.  Compose is a tool for defining and running multi-container Docker applications.  Setup is done by following this guide:

curl -L https://github.com/docker/compose/releases/download/1.21.2/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
docker-compose --version

Finally, we need to pull down the requestbin GitHub repository, and build the project.  

git clone git://github.com/Runscope/requestbin.git
cd requestbin
docker-compose build
docker-compose up

The application should now be running on the external interface at port 8000.  Open up your web browser and navigate to http://external_ip:8000.  You will be greeted with a screen much like the following:

Click the large green button to setup a workspace for requests to be sent.  Take note of the workspace ID.  For example, in the screenshot below the ID is 10rx2k41.  

In the screenshot above RequestBin gives multiple commands that can be used to either test the working application or to modify to use as an attack.  To begin with I will simply copy and paste the curl command curl -X POST -d "fizz=buzz" http://0.0.0.0:8000/10rx2k41.  Once you send the request via curl the request should respond with a 200-ok message.  The web application should redirect you to the next page where you can view the results, but if not just simply try reloading the page to view the requests that have been captured.  Or you can simply navigate to http://x.x.x.x:8000/workspaceID?inspect.  Here is an example of the curl request that was sent above:

In order to demonstrate the open redirection attack I would need to find a live site or an intentionally vulnerable site that has the specific vulnerability.  Unfortunately, as of writing this post I have not found an example from a site that has given me permission to test or from a intentionally vulnerable machine.  Therefore, I will simply be showing what the URL would look like during an open redirection attack. As you can see from the URL below the gotoField would be used in a way to redirect to a separate site or to the homepage after the user logs in or performs a different action.  However, by manipulating the gotoField we can redirect the user back to our RequestBin site.  

https://customer.site/Folder/?gotoField=http://x.x.x.x:8000/workspaceID/

I will continue to keep an eye out for a way to demonstrate this open redirection more clearly using RequestBin.  Until then good luck, and have fun!