SlideShare a Scribd company logo

Paper nctsn

F
Franciny S.

The document discusses an open redirect vulnerability found on the website nctsnet.org. An open redirect occurs when a website redirects a user's browser to a different URL, allowing an attacker to perform phishing attacks or distribute malware. The vulnerability on nctsnet.org was found in the pubdlcnt.php script, which did not validate or verify the redirect URL. An attacker could exploit this by crafting a malicious URL with the vulnerability and tricking users into clicking on the link. Open redirects abuse a site's trust and can be used to steal user information or credentials from a trusted domain.

Technology
1 of 3
Download to read offline
Open Redirect Vulnerability on NCTSN nctsnet.org has a link you can exploit it using open redirect vulnerability for a phishing. If you right click on mouse you can see this url: Taking the second part of the link, after pubdlcnt.php? =, you can include a malicious url and send to some user to perform phishing. http://www.nctsnet.org/sites/all/modules/pubdlcnt/pubdlcnt.php?file=
Analyzing the source code, we can observe that there is no validation or verification of the link to where the user will be redirected. But what are Open Redirect Vulnerabilities? An open redirect vulnerability occurs when a victim visits a particular URL for a given website and that website instructs the victim’s browser to visit a completely different URL, on a separate domain. When you visit the URL, the main page would receive a GET HTTP request and use the variable to parameter's value to determine where the visitor's browser should be redirected. After doing só, another page would return a 302 HTTP response, instructing the user's broswer to make a GET request to another page, the variable parameter's value. The Open Web Application Security Project (OWASP), which is a community dedicated to application security that curates a list of the most critical security flaws in web applications, has listed this vulnerability in ther 2014 Top Ten vulnerabilities list. Open redirects exploit the trust of a given domain, www.nctsnet.org, to lure victims to a malicious website. This can be used in phishing attack to trick users into believing theu are submitting information to the trusted site, when their valuable information is actually going to a malicious site. This also enables attackers to distribute malware from the malicious site or steal Oauth tokens.
Not all vulnerabilities are complex. This open redirect simply required changing the domain_name parameter to an external site, which would have resulted in a user being redirected off-site from NCTSNET. This type of vulnerability relies on an abuse of trust, where victims are tricked into visiting an attacker's site thinking they will be visiting a site they recognize. When you spot likely vulnerable parameters, be sure to test them out thoroughly and add special characters, like a period, if some part of the URL is hard-coded.

Recommended

Webspoofing
WebspoofingWebspoofing
Webspoofingjaimin_m_raval
 
Classifying fake news articles using natural language processing to identify ...
Classifying fake news articles using natural language processing to identify ...Classifying fake news articles using natural language processing to identify ...
Classifying fake news articles using natural language processing to identify ...Venkat Projects
 
Security Protection for WordPress
Security Protection for WordPressSecurity Protection for WordPress
Security Protection for WordPressSamuel Soon
 
Anatomy of a Ransomware Attack - Paubox SECURE Conference 2017
Anatomy of a Ransomware Attack - Paubox SECURE Conference 2017Anatomy of a Ransomware Attack - Paubox SECURE Conference 2017
Anatomy of a Ransomware Attack - Paubox SECURE Conference 2017Paubox, Inc.
 
Warningbird
WarningbirdWarningbird
WarningbirdAndy Newell
 
How Twitter Usage Differs Between Humans and Company Accounts
How Twitter Usage Differs Between Humans and Company AccountsHow Twitter Usage Differs Between Humans and Company Accounts
How Twitter Usage Differs Between Humans and Company AccountsAlex Ishida
 
WARNINGBIRD: A NEAR REAL-TIME DETECTION SYSTEM FOR SUSPICIOUS URLS IN TWITTER...
WARNINGBIRD: A NEAR REAL-TIME DETECTION SYSTEM FOR SUSPICIOUS URLS IN TWITTER...WARNINGBIRD: A NEAR REAL-TIME DETECTION SYSTEM FOR SUSPICIOUS URLS IN TWITTER...
WARNINGBIRD: A NEAR REAL-TIME DETECTION SYSTEM FOR SUSPICIOUS URLS IN TWITTER...Augustin Jose
 
Security for javascript
Security for javascriptSecurity for javascript
Security for javascriptHữu Đại
 

Recommended

Webspoofing
WebspoofingWebspoofing
Webspoofingjaimin_m_raval
 
Classifying fake news articles using natural language processing to identify ...
Classifying fake news articles using natural language processing to identify ...Classifying fake news articles using natural language processing to identify ...
Classifying fake news articles using natural language processing to identify ...Venkat Projects
 
Security Protection for WordPress
Security Protection for WordPressSecurity Protection for WordPress
Security Protection for WordPressSamuel Soon
 
Anatomy of a Ransomware Attack - Paubox SECURE Conference 2017
Anatomy of a Ransomware Attack - Paubox SECURE Conference 2017Anatomy of a Ransomware Attack - Paubox SECURE Conference 2017
Anatomy of a Ransomware Attack - Paubox SECURE Conference 2017Paubox, Inc.
 
Warningbird
WarningbirdWarningbird
WarningbirdAndy Newell
 
How Twitter Usage Differs Between Humans and Company Accounts
How Twitter Usage Differs Between Humans and Company AccountsHow Twitter Usage Differs Between Humans and Company Accounts
How Twitter Usage Differs Between Humans and Company AccountsAlex Ishida
 
WARNINGBIRD: A NEAR REAL-TIME DETECTION SYSTEM FOR SUSPICIOUS URLS IN TWITTER...
WARNINGBIRD: A NEAR REAL-TIME DETECTION SYSTEM FOR SUSPICIOUS URLS IN TWITTER...WARNINGBIRD: A NEAR REAL-TIME DETECTION SYSTEM FOR SUSPICIOUS URLS IN TWITTER...
WARNINGBIRD: A NEAR REAL-TIME DETECTION SYSTEM FOR SUSPICIOUS URLS IN TWITTER...Augustin Jose
 
Security for javascript
Security for javascriptSecurity for javascript
Security for javascriptHữu Đại
 
NTXISSACSC3 - How I hacked the Government and Got Away with It by Seven Hatfield
NTXISSACSC3 - How I hacked the Government and Got Away with It by Seven HatfieldNTXISSACSC3 - How I hacked the Government and Got Away with It by Seven Hatfield
NTXISSACSC3 - How I hacked the Government and Got Away with It by Seven HatfieldNorth Texas Chapter of the ISSA
 
How I Hacked The Government And Got Away With It
How I Hacked The Government And Got Away With ItHow I Hacked The Government And Got Away With It
How I Hacked The Government And Got Away With ItSteven Hatfield
 
Stateless Anti-Csrf
Stateless Anti-CsrfStateless Anti-Csrf
Stateless Anti-Csrfjohnwilander
 
2018 Hacked Website Trends
2018 Hacked Website Trends2018 Hacked Website Trends
2018 Hacked Website TrendsSucuri
 
Grey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request ForgeryGrey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request ForgeryChristopher Grayson
 
Sucuri Webinar: Simple Steps To Secure Your Online Store
Sucuri Webinar: Simple Steps To Secure Your Online StoreSucuri Webinar: Simple Steps To Secure Your Online Store
Sucuri Webinar: Simple Steps To Secure Your Online StoreSucuri
 
Webinar: CWAF for Mid Market/Enterprise Organizations
Webinar: CWAF for Mid Market/Enterprise OrganizationsWebinar: CWAF for Mid Market/Enterprise Organizations
Webinar: CWAF for Mid Market/Enterprise OrganizationsSucuri
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011Samvel Gevorgyan
 
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkadVodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkadvodQA
 
AtlasCamp 2010: Securing your Plugin - Penny Wyatt
AtlasCamp 2010: Securing your Plugin - Penny WyattAtlasCamp 2010: Securing your Plugin - Penny Wyatt
AtlasCamp 2010: Securing your Plugin - Penny WyattAtlassian
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCSuvash Shah
 
Web spoofing (1)
Web spoofing (1)Web spoofing (1)
Web spoofing (1)Khushboo Taneja
 
A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsShane Stanley
 
State of the Art Analysis Approach for Identification of the Malignant URLs
State of the Art Analysis Approach for Identification of the Malignant URLsState of the Art Analysis Approach for Identification of the Malignant URLs
State of the Art Analysis Approach for Identification of the Malignant URLsIOSRjournaljce
 
Web Application Penetration Tests - Vulnerability Identification and Details ...
Web Application Penetration Tests - Vulnerability Identification and Details ...Web Application Penetration Tests - Vulnerability Identification and Details ...
Web Application Penetration Tests - Vulnerability Identification and Details ...Netsparker
 
How not to make a hacker friendly application
How not to make a hacker friendly applicationHow not to make a hacker friendly application
How not to make a hacker friendly applicationAbhinav Mishra
 
Web spoofing
Web spoofingWeb spoofing
Web spoofingkondalarao7
 
Cookie surveillance
Cookie surveillanceCookie surveillance
Cookie surveillanceGreg Sterling
 
Unauthorized access, Men in the Middle (MITM)
Unauthorized access, Men in the Middle (MITM)Unauthorized access, Men in the Middle (MITM)
Unauthorized access, Men in the Middle (MITM)Balvinder Singh
 
50063
5006350063
50063Rui Dong
 
Search Engine Poisoning
Search Engine PoisoningSearch Engine Poisoning
Search Engine PoisoningImperva
 
owasp_meetup_12_10
owasp_meetup_12_10owasp_meetup_12_10
owasp_meetup_12_10sean_todd
 

More Related Content

What's hot

NTXISSACSC3 - How I hacked the Government and Got Away with It by Seven Hatfield
NTXISSACSC3 - How I hacked the Government and Got Away with It by Seven HatfieldNTXISSACSC3 - How I hacked the Government and Got Away with It by Seven Hatfield
NTXISSACSC3 - How I hacked the Government and Got Away with It by Seven HatfieldNorth Texas Chapter of the ISSA
 
How I Hacked The Government And Got Away With It
How I Hacked The Government And Got Away With ItHow I Hacked The Government And Got Away With It
How I Hacked The Government And Got Away With ItSteven Hatfield
 
Stateless Anti-Csrf
Stateless Anti-CsrfStateless Anti-Csrf
Stateless Anti-Csrfjohnwilander
 
2018 Hacked Website Trends
2018 Hacked Website Trends2018 Hacked Website Trends
2018 Hacked Website TrendsSucuri
 
Grey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request ForgeryGrey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request ForgeryChristopher Grayson
 
Sucuri Webinar: Simple Steps To Secure Your Online Store
Sucuri Webinar: Simple Steps To Secure Your Online StoreSucuri Webinar: Simple Steps To Secure Your Online Store
Sucuri Webinar: Simple Steps To Secure Your Online StoreSucuri
 
Webinar: CWAF for Mid Market/Enterprise Organizations
Webinar: CWAF for Mid Market/Enterprise OrganizationsWebinar: CWAF for Mid Market/Enterprise Organizations
Webinar: CWAF for Mid Market/Enterprise OrganizationsSucuri
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011Samvel Gevorgyan
 
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkadVodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkadvodQA
 
AtlasCamp 2010: Securing your Plugin - Penny Wyatt
AtlasCamp 2010: Securing your Plugin - Penny WyattAtlasCamp 2010: Securing your Plugin - Penny Wyatt
AtlasCamp 2010: Securing your Plugin - Penny WyattAtlassian
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCSuvash Shah
 

What's hot (11)

NTXISSACSC3 - How I hacked the Government and Got Away with It by Seven Hatfield
NTXISSACSC3 - How I hacked the Government and Got Away with It by Seven HatfieldNTXISSACSC3 - How I hacked the Government and Got Away with It by Seven Hatfield
NTXISSACSC3 - How I hacked the Government and Got Away with It by Seven Hatfield
 
How I Hacked The Government And Got Away With It
How I Hacked The Government And Got Away With ItHow I Hacked The Government And Got Away With It
How I Hacked The Government And Got Away With It
 
Stateless Anti-Csrf
Stateless Anti-CsrfStateless Anti-Csrf
Stateless Anti-Csrf
 
2018 Hacked Website Trends
2018 Hacked Website Trends2018 Hacked Website Trends
2018 Hacked Website Trends
 
Grey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request ForgeryGrey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request Forgery
 
Sucuri Webinar: Simple Steps To Secure Your Online Store
Sucuri Webinar: Simple Steps To Secure Your Online StoreSucuri Webinar: Simple Steps To Secure Your Online Store
Sucuri Webinar: Simple Steps To Secure Your Online Store
 
Webinar: CWAF for Mid Market/Enterprise Organizations
Webinar: CWAF for Mid Market/Enterprise OrganizationsWebinar: CWAF for Mid Market/Enterprise Organizations
Webinar: CWAF for Mid Market/Enterprise Organizations
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
 
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkadVodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
 
AtlasCamp 2010: Securing your Plugin - Penny Wyatt
AtlasCamp 2010: Securing your Plugin - Penny WyattAtlasCamp 2010: Securing your Plugin - Penny Wyatt
AtlasCamp 2010: Securing your Plugin - Penny Wyatt
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVC
 

Similar to Paper nctsn

A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsShane Stanley
 
State of the Art Analysis Approach for Identification of the Malignant URLs
State of the Art Analysis Approach for Identification of the Malignant URLsState of the Art Analysis Approach for Identification of the Malignant URLs
State of the Art Analysis Approach for Identification of the Malignant URLsIOSRjournaljce
 
Web Application Penetration Tests - Vulnerability Identification and Details ...
Web Application Penetration Tests - Vulnerability Identification and Details ...Web Application Penetration Tests - Vulnerability Identification and Details ...
Web Application Penetration Tests - Vulnerability Identification and Details ...Netsparker
 
How not to make a hacker friendly application
How not to make a hacker friendly applicationHow not to make a hacker friendly application
How not to make a hacker friendly applicationAbhinav Mishra
 
Unauthorized access, Men in the Middle (MITM)
Unauthorized access, Men in the Middle (MITM)Unauthorized access, Men in the Middle (MITM)
Unauthorized access, Men in the Middle (MITM)Balvinder Singh
 
Search Engine Poisoning
Search Engine PoisoningSearch Engine Poisoning
Search Engine PoisoningImperva
 
owasp_meetup_12_10
owasp_meetup_12_10owasp_meetup_12_10
owasp_meetup_12_10sean_todd
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityChris Hillman
 
Pantallas escaneo Sitio Web
Pantallas escaneo Sitio WebPantallas escaneo Sitio Web
Pantallas escaneo Sitio Webandres1422
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationAlbena Asenova-Belal
 
OWASP Top 10 and Securing Rails - Sean Todd - PayNearMe.com
OWASP Top 10 and Securing Rails - Sean Todd - PayNearMe.comOWASP Top 10 and Securing Rails - Sean Todd - PayNearMe.com
OWASP Top 10 and Securing Rails - Sean Todd - PayNearMe.comSV Ruby on Rails Meetup
 
A4 A K S H A Y B H A R D W A J
A4 A K S H A Y B H A R D W A JA4 A K S H A Y B H A R D W A J
A4 A K S H A Y B H A R D W A Jbhardwajakshay
 
Secure Form Processing and Protection - Devspace 2015
Secure Form Processing and Protection - Devspace 2015 Secure Form Processing and Protection - Devspace 2015
Secure Form Processing and Protection - Devspace 2015 Joe Ferguson
 

Similar to Paper nctsn (20)

Web spoofing (1)
Web spoofing (1)Web spoofing (1)
Web spoofing (1)
 
A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and Forwards
 
State of the Art Analysis Approach for Identification of the Malignant URLs
State of the Art Analysis Approach for Identification of the Malignant URLsState of the Art Analysis Approach for Identification of the Malignant URLs
State of the Art Analysis Approach for Identification of the Malignant URLs
 
Web Application Penetration Tests - Vulnerability Identification and Details ...
Web Application Penetration Tests - Vulnerability Identification and Details ...Web Application Penetration Tests - Vulnerability Identification and Details ...
Web Application Penetration Tests - Vulnerability Identification and Details ...
 
How not to make a hacker friendly application
How not to make a hacker friendly applicationHow not to make a hacker friendly application
How not to make a hacker friendly application
 
Web spoofing
Web spoofingWeb spoofing
Web spoofing
 
Cookie surveillance
Cookie surveillanceCookie surveillance
Cookie surveillance
 
Unauthorized access, Men in the Middle (MITM)
Unauthorized access, Men in the Middle (MITM)Unauthorized access, Men in the Middle (MITM)
Unauthorized access, Men in the Middle (MITM)
 
50063
5006350063
50063
 
Search Engine Poisoning
Search Engine PoisoningSearch Engine Poisoning
Search Engine Poisoning
 
owasp_meetup_12_10
owasp_meetup_12_10owasp_meetup_12_10
owasp_meetup_12_10
 
SeanRobertsThesis
SeanRobertsThesisSeanRobertsThesis
SeanRobertsThesis
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Pantallas escaneo Sitio Web
Pantallas escaneo Sitio WebPantallas escaneo Sitio Web
Pantallas escaneo Sitio Web
 
OWASP
OWASPOWASP
OWASP
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
 
OWASP Top 10 and Securing Rails - Sean Todd - PayNearMe.com
OWASP Top 10 and Securing Rails - Sean Todd - PayNearMe.comOWASP Top 10 and Securing Rails - Sean Todd - PayNearMe.com
OWASP Top 10 and Securing Rails - Sean Todd - PayNearMe.com
 
T04505103106
T04505103106T04505103106
T04505103106
 
A4 A K S H A Y B H A R D W A J
A4 A K S H A Y B H A R D W A JA4 A K S H A Y B H A R D W A J
A4 A K S H A Y B H A R D W A J
 
Secure Form Processing and Protection - Devspace 2015
Secure Form Processing and Protection - Devspace 2015 Secure Form Processing and Protection - Devspace 2015
Secure Form Processing and Protection - Devspace 2015
 

Recently uploaded

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 

Recently uploaded (20)

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

Paper nctsn

  • 1. Open Redirect Vulnerability on NCTSN nctsnet.org has a link you can exploit it using open redirect vulnerability for a phishing. If you right click on mouse you can see this url: Taking the second part of the link, after pubdlcnt.php? =, you can include a malicious url and send to some user to perform phishing. http://www.nctsnet.org/sites/all/modules/pubdlcnt/pubdlcnt.php?file=
  • 2. Analyzing the source code, we can observe that there is no validation or verification of the link to where the user will be redirected. But what are Open Redirect Vulnerabilities? An open redirect vulnerability occurs when a victim visits a particular URL for a given website and that website instructs the victim’s browser to visit a completely different URL, on a separate domain. When you visit the URL, the main page would receive a GET HTTP request and use the variable to parameter's value to determine where the visitor's browser should be redirected. After doing só, another page would return a 302 HTTP response, instructing the user's broswer to make a GET request to another page, the variable parameter's value. The Open Web Application Security Project (OWASP), which is a community dedicated to application security that curates a list of the most critical security flaws in web applications, has listed this vulnerability in ther 2014 Top Ten vulnerabilities list. Open redirects exploit the trust of a given domain, www.nctsnet.org, to lure victims to a malicious website. This can be used in phishing attack to trick users into believing theu are submitting information to the trusted site, when their valuable information is actually going to a malicious site. This also enables attackers to distribute malware from the malicious site or steal Oauth tokens.
  • 3. Not all vulnerabilities are complex. This open redirect simply required changing the domain_name parameter to an external site, which would have resulted in a user being redirected off-site from NCTSNET. This type of vulnerability relies on an abuse of trust, where victims are tricked into visiting an attacker's site thinking they will be visiting a site they recognize. When you spot likely vulnerable parameters, be sure to test them out thoroughly and add special characters, like a period, if some part of the URL is hard-coded.