While searching for some air tickets on Cleartrip.com, I encountered an advertisement (for discounted fares). Checking it carefully revealed one of the most prevalent web-app attacks - the Open Redirect. OWASP has rated Open Redirect on 10th position in its 2010 Top 10 web-application vulnerability list (http://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards).
The attack is quite straight forward -
http://www.cleartrip.com/eadserver/delivery/ck.php?oaparams=2__bannerid=143__zoneid=29__cb=76477cc4e4__oadest=http://www.yahoo.com
One simply has to put any arbitrary url and the person is redirected to the arbitrary URL.
To compare the fares, I went to MakeMyTrip.com. This website uses DoubleClick Platform (a subsidiary of Google) to serve ads. Incidentally, this platform too (ad.doubleclick.net) was vulnerable to this particular attack.
http://ad.doubleclick.net/click%3Bh%3Dv8/3a5d/3/0/%2a/q%3B233069303%3B1-0%3B1%3B44554866%3B32370-478/245%3B39536441/39554228/1%3B%3B%7Esscs%3D%3fhttp://yads.zedo.com/ads2/c?a=861032;g=0;c=1163000003;i=0;x=7936;n=1163;s=1;k=http://google.com
While not a very serious attack vector, it can be particularly dangerous when carefully teamed up with social engineering (then, what isn’t!).
Both of the vulnerabilities were reported to the respective websites. While, both of them responded, only Google has fixed the problem. Problem persists with Cleartrip.com (ClearTrip actually uses OpenX Software to serve ads, OpenX Team was also notified about this problem, but no response from them.)
