Course

In this lab, we focus on a Ruby on Rails application. The provided code includes a route configuration and a controller action designed to handle redirections. The route configuration specifies that accessing '/redirect/' will invoke the 'redirect' action in the 'WelcomeController'. The controller action checks the 'redirect_uri' parameter and redirects accordingly. If the 'redirect_uri' starts with a '/', it redirects to the provided URI. If it matches a specific pattern, it redirects to a URL starting with 'pentesterlab.com'. Otherwise, it defaults to redirecting to the root path '/'.

The vulnerability lies in the first conditional check. By allowing any URI that starts with '/', an attacker could manipulate the 'redirect_uri' to redirect to an external website by using a double slash (e.g., '//www.google.com'), which browsers interpret as an external URL. To mitigate this, the code should ensure the second character is not a '/' after the initial slash, effectively preventing open redirection attacks.

This lab underscores the importance of thorough validation when handling user inputs, especially in redirect functionalities. Even seemingly minor oversights can lead to significant vulnerabilities.