Project Overview
This investigation analyzed web server log activity to identify possible open redirection attack attempts against a web application. The review focused on suspicious requests that passed external URLs into a query parameter, indicating that an actor was testing whether the application could redirect users to external destinations.
Objective
The objective was to determine whether the observed HTTP requests indicated normal user activity or malicious probing for an open redirection vulnerability.
- Suspicious query string patterns
- Encoded external URLs
- Repeated attacker requests
- Server response behavior
- Likely attacker intent
Investigation Timeline
postId parameter.Log Source
The investigation was based on web log entries showing repeated GET requests that attempted to pass encoded external URLs through the postId parameter. The requests were associated with source IP 86.236.188.85 and returned HTTP 400 responses.
Key Indicators Observed
Investigation Analysis
The HTTP requests attempted to supply full encoded external URLs into the postId parameter instead of expected internal values. Payloads included references to destinations such as google.com, www.google.com, and obfuscated variants such as whitelisteddomain.tld@google.com.
The repeated HTTP 400 responses suggested that the application rejected the malformed or suspicious input. However, the request pattern still indicated vulnerability testing, reconnaissance, or attempted abuse of redirect behavior.
Analyst Notes
Open redirection testing is important to review because successful exploitation can support phishing campaigns, malicious link delivery, and user deception by abusing trust in a legitimate domain.
Although the server returned HTTP 400 responses, failed exploitation attempts still provide useful security signals and may indicate attacker interest in the application.
MITRE ATT&CK Mapping
- Reconnaissance and vulnerability probing
- Phishing support through trusted-domain abuse
- Application attack behavior involving input manipulation
Final Verdict
Suspicious Activity - Open Redirection Probing Detected
The activity was assessed as malicious or highly suspicious because it involved repeated attempts to inject external URLs into a web application parameter in order to test redirect behavior.
Recommended Remediation Actions
- Validate and sanitize redirect-related parameters
- Restrict redirects to approved internal destinations
- Log and alert on repeated external URL injection attempts
- Block or rate-limit suspicious IPs if activity persists
- Review web application behavior for unsafe redirect logic
- Monitor for related phishing or abuse attempts
Lessons Learned
- Suspicious query parameters can reveal attack attempts even when exploitation fails.
- Repeated malformed requests often indicate testing behavior.
- Open redirection can support phishing and user deception.
- Web log analysis is an important part of defensive monitoring.
- Response codes such as
400can help determine whether attacks succeeded or failed.
Investigation Evidence
Selected screenshots from the investigation workflow. These visuals support the written analysis and help show the investigation process.
Web log evidence showing suspicious open redirection request patterns.
Evidence identifying the source IP and targeted parameter used during the probing activity.