Unexpected redirects to malicious sites based on referer header in IIS server

Question

1.00/5 (2 votes)

See more:

I am experiencing an issue with my website hosted on an IIS server. When accessing the site, if the Referer header contains google.com, bing.com, or any other search engine, the site gets redirected to a malicious page. However, if I remove the Referer header, the site loads successfully without any issues.

I suspect this behavior might be related to a vulnerability in the way redirects are handled based on the Referer header. This issue only occurs with search engine referers and seems to be triggered by the presence of these specific referers
Here are the details of a typical request that causes the redirect

GET / HTTP/2
Host: example.com
Cookie: _ga_2FK43E86ZM=GS1.1.1721305211.3.1.1721306057.0.0.0; _ga=GA1.2.2000218721.1721294436; _ga_SJ54V8FC8G=GS1.1.1721815198.3.1.1721815922.0.0.0; ASP.NET_SessionId=awofngu4rog3mmb5b4efzjnw; collect_chat_page_load=4; _gid=GA1.2.377104470.1721815201; _gat_UA-203476796-1=1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Referer: google.com
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

When the Referer header includes google.com, bing.com, or any other search engine, the site redirects to a malicious page. Removing the Referer header prevents this redirect.

What I have tried:

I need assistance in diagnosing and resolving this issue. Any insights or suggestions would be greatly appreciated

Posted 24-Jul-24 2:44am

xss_hunter

Updated 24-Jul-24 5:17am

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard Deeming · Answer 1 · 2024-07-24T21:18:00

Quote:
I suspect this behavior might be related to a vulnerability in the way redirects are handled based on the Referer header.

And what makes you suspect that?

There are many public websites hosted on IIS; the vast majority do not have the behaviour you describe.

Therefore, either your server has malware installed; your code has been infected with malware; your code is relying on a database which has been modified by a malicious user; or your code is doing something else wrong.

Since we don't have access to your server, we can't see any of your code, and you either haven't attempted to diagnose the problem, or haven't shared the results of your diagnosis, there is nothing anyone can do to help you.