On Wed, Mar 23, 2005 at 11:30:57PM +0100, Alain wrote:
After seen the various msg's about open redirect's, I did a search about "safe" http redirectors, but didn't find many resources.
While it's not that difficult to make a safe one with a manual whitelist, it's not in all scripts (.asp,.pl,php) easy to make a script that uses SURBL to block spammers. Such a script would have the big advantage that it could be generic. Are there available on the net?
An equally important strategy to making a safe redirector absent whitelisting of partial or entire hostnames is to employ HMAC authentication. Basically, your redirector generator keeps a secret, you hash the secret with the URL and give back an auth token, then send back both the tokena and the URL to the real redirector. The redirector re-computes and compares the auth token, and redirects only if the token matches. Basically, it's a simplified form of only redirecting to signed URLs which requires only one secret.