UNVALIDATED REDIRECT & FORWARDS

Feature Value
Type Detection / Protection
Risk Other
Covered by Agent / Library

The application is using an untrusted input to craft a redirect/forward url.

    http://example.com/path?url=http://example.com/report1

Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access.

Open redirects can even introduce XSS, depending on the circumstances (for example, if the victim's browser supports redirecting to the data: or javascript: protocols).

How to solve it

Safe use of redirects and forwards can be made in a number of ways:

• Simply avoid using redirects and forwards.
• If used, do not allow the url as user input for the destination. This can usually be done. In this case, you should have a method to validate URLs.
• If user input cannot be avoided, ensure that the supplied value is valid, appropriate for the application, and is authorized for the user.
• It is recommended that any such destination input be mapped to a value, rather than the actual URL or portion of the URL, and that server-side code translate this value to the target URL.
• Sanitize input by creating a list of trusted URLs (lists of hosts or a regex).
• Force all redirects to first go through a page notifying users that they are leaving your site, and have them click a link to confirm.