We just transitioned email link click tracking from an old home-grown service to our collectors using the “/r/tp2” endpoint. Our security staff have expressed concern that the redirects are wide open so that a phisher could redirect users to a malicious site using the collector’s redirect functionality. Is anyone aware of a mechanism we can use to lockdown the redirects?
3 Likes
Any update or good way to fix this default behaviour?
@igorbrigadir, if you are not using the redirect feature yourself, you should disable that endpoint in the collector
enableDefaultRedirect = false
If you do use it yourself, the best option is to use AWS WAF or Google Cloud Armor enabled (depending on your cloud). It lets you block traffic that matches rules you define, such as a regex that the value of the u parameter must match.
3 Likes
Thanks!
In case it helps someone else: I ended up using a traefik router rule to block anything that isn’t the domains i allow, like this:
Host(`collector.com`) && PathPrefix(`/r`) && Query(`u={u:(http[s]?)(%3A)(%2F){2}(www\.)?((allowed1\.com)|(allowed2\.com)|(allowed3\.com))(.*)}`)
So if your collector redirect url is like:
https://collector.com/r/tp2?e=se&p=web&aid=app&se_la=example&u=http%3A%2F%2Fwww.allowed1.com%2Ffoobar
it will match the rule and work, but if it’s
https://collector.com/r/tp2?e=se&p=web&aid=app&se_la=example&u=http%3A%2F%2Fwww.badurl.com%2Ffoobar
it won’t match and fail, blocking the open redirect.
I’ve added this as an issue to the collector because I don’t think it would be particularly difficult to support and it seems like useful functionality.
1 Like