 So, our normal website has a PHP page to redirect us. Some websites will do that. Instead of having a direct link to an external website, they'll have a special page which says something like, you are now being redirected to an external website. We have no responsibility for this information. So you may see that on some websites. So they implement a redirect page. And I'll visit that directory, that page directly, on our normal website, it's called redirect.php, and it takes a parameter URL. And the URL, it can be set to whatever we like. And in this attack, let's say that there's a link such as this that we've clicked on and it redirects us to something like this. The point of this redirect attack is that the page that we're visiting, what's the domain of the website we're visiting? In this URL, what's the domain of the website? Myuni.edu, our real website. But, and many security features of browsers will check that the domain you're visiting is the expected one. And even the human user may check and notice, okay, I'm visiting myuni.edu. I trust that. It's my university website. So I trust any page that I go to on that website. So I visit that link and, all right, it's coming. I'm waiting for my website. Did I do something wrong? What did I do wrong? URL, URL. Glad someone's watching. I forgot an edu. Try it again. I'm visiting myuni.edu and it asked me to log in. I trust this website is the normal log in. So I type in my, actually I'm a faculty member. I'll type in and log in as the, log in as the faculty member. And I press log in. Okay, I'm waiting, fine. Oh, what happened? Maybe I typed my password wrong. So I'll log in again. Okay, I'll log in again. Yes, accept cookies. It's a bit slow. Okay, now I'm logged into Steve and I can view the grades of everyone. So I'm logged in as a faculty member. What happened there? What happened and I'll exit? I'm currently logged into the real myuni website. I'll exit, look at the URL closely. And I think people have noticed, because I made a mistake there, this redirect page actually redirects me to this other website. And it's a different one. And there's two things happening here. The redirect, first thing that the user may not notice that part. If you have a very long URL in your address bar or on a link, usually you just look at the domain. You don't take much notice of the rest of that URL, especially if it's very long and has strange characters. So the user sees, okay, I'm going to www.myuni.edu, the rest, whatever, it's just a URL. But in fact, the redirect takes us to a different website. It takes us to the malicious user's website, which has a fake login page. So when we visit that, what happens is it takes us to the malicious user's website and this looks like the login for Myuni, but it's actually the fake login. And what I do is when I type in my password, username and password, this fake login page, when I press login, the web server on that fake server we'll see in a moment, just records the username and password and then redirects me back to the original login page. So from the user's perspective, what I think is happening here, I typed in my username and password, I press login and I, maybe I typed in my password wrong. Sometimes I type it wrong, so because it's sending me back to the original login. But what actually happened is I, even if I type the password correct, the fake web server recorded the password and just redirected me back to the original login. So now I can log in as normal and I think everything's okay. So from the user's perspective, they don't know anything's gone wrong. They are logged in and they can view grades. But now let's look at our fake web server, which is node five. Node five was the fake web server. If we go and look in some of the code, there's this aids directory and there's the login.php, the fake login page. All it does is when someone posts some information, the username and password, this code takes the username and the password and writes them to a file, stolenlogins.txt. And then it redirects you to the original login. So the fake login page looks like a normal login page, but all it does is takes the username and password, records them and then sends you back to the real login page so that you think nothing's gone wrong. So if you look in this file, temp slash stolenlogins, it's just a text file. And every time someone logs into this fake website, they don't actually log in, it just adds the username and password to this file. So now the fake web server, the malicious user has recorded my password for the real MyUNI website. So this is taking advantage of that redirect feature that is sometimes available. So now the malicious user knows my password. There are two entries there because I tried that twice. And every time someone else tries to do it, there'll be another entry added there. So this can be set up so that when all the users try and log in, they redirect it to the fake website, it records their password and later they can use that to log into the real website. Any questions on how that one worked? Let's look at the website, the risk number 10 it's listed as, unvalidated redirects and forwards. This is what was happening. The normal website had a feature to redirect you to other URLs. The malicious user used that to construct a URL or a link that redirects us to the malicious website with the intent of tricking the user into thinking they're visiting the real website but they're actually redirected to the malicious website. And that can be used to, in this case, to steal logins and it can be used for other types of attacks as well. It could be used simply to get ad impressions. That is, you're redirected to another website and that causes that other website to get money from people visiting it or it causes, maybe, when you visit that other malicious website, it triggers your browser to download some malicious software and infects your computer. So the problem here is that redirect didn't check that you're going to an appropriate website, it's unvalidated. So when you have such a redirect feature, you should ensure that the values which are supplied are valid and they're authorized for the user. There are different ways to do that but today we're just showing how it works, where do we get to? The other thing that's used here is that the fake website has a URL which is very similar to the real website. All right, I just created it so it looks like it's www.myuny.edu. Well, no, not quite. There's a .gr here. So maybe if you don't notice and you're, even without a redirect, you're sent to this URL, then you may not notice that it is, in fact, not your university website, it's another one because the URL is very similar to the one you expect and that's another form of attack of tricking the user into visiting websites which they think are appropriate but are not.