Web Applicatin URL Redirection Security O.O

[CrYpTiC_MauleR]

I have seen phishers use PayPal, Yahoo etc URL redirections to trick people. For instance...

http://www.eweek.com/article2/0,1759,1772408,00.asp
http://www.theregister.co.uk/2004/11/01/yahoo_spam_signup_scam/

Basically they use something like http://www.example.com/url.php?url=http://attacker.com/

where everything after .com/ is encoded so it looks like when you click link you will be taken to the example.com but in fact are redirected to attacker site and people not looking at URL in browser enter login details etc. I know you can check the URLs submitted against a valid list. But my site allows users to put URLs to their favorite sites. So how would I go about protecting this when a user can easily enter www.attacker.com?

[Roönaän]

Just don't redirect immediately, showing a "you are leaving our site, bla bla" message for about 8 seconds.

Or crossref your database to see wether the url you are directing too is actually in your database content.
When you have an content management system, you could build a list of "trusted sites".

Even better is to allow only md5 encrypted keys, and look the actual url up in your database.

A thing I used once was to use ob_start(); ob_get_clean() to fetch actual site output of my own site, then fetch all external urls. md5 hash them with salt, and put the correct url in the users cookie.

You cannot use sessions because the redirector is there to protect your session.

[CrYpTiC_MauleR]

Yeah I check against the URL in database through url's id. But a user from my site can just as easily add a new URL for their link and do attack. I like your first idea

URL: http://www.mysite.com/url/18/23/

where 18 is user's account number
23 is url id number in database whichthe URL they have form to add/edit/remove URLs to their favorites sites etc...

I'll put a redirection page and have a HTTP refresh to new URL, but still stupid users how there who will be like doh I didnt know it wasnt your site anymore and I entered my login details. I suppose there is no way to help mitigate that =oP

[nicholassolutions]

I'd put a link or form button the redirection page and say something like

"You are leaving the site. If the following page asks for your login info it is a scam. Click the button to acknowledge that you understand and proceed."

Probably someone will STILL do something stupid, but I think that will cut your chances down quite a bit and increase the possibility that people will actually understand what is going on. You might also offer them the option of setting preferences so that they can change this to a simpler redirection once they have acknowledged that they understand.