Unvalidated Redirects and Forwards

OWASP Top 10 2013 - A10


OWASP just updated the Top 10 list.
Check out this in-depth post to learn everything about the new OWASP Top 10 2021.

Discover OWASP Top 10 2021

What are Unvalidated Redirects and Forwards?

Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access.

Example of unvalidated redirect

The application uses forwards to route requests between different parts of the site. To facilitate this, some pages use a parameter to indicate where the user should be sent if a transaction is successful.

In this case, the attacker crafts a URL that will bypass the application’s access control check and then forwards the attacker to administrative functionality for which the attacker isn’t authorized.


Open redirects can even introduce XSS, depending on the circumstances (for example, if the victim's browser supports redirecting to the data: or javascript: protocols).


Test Drive The Unified Security Platform

Get Started


Learn the answers to the key questions regarding IAST tools

Download Now

How to Prevent Unvalidated Redirects and Forwards

Custom Validation

Safe use of redirects and forwards can be made in a number of ways:

  • Simply avoid using redirects and forwards.
  • If used, do not allow the url as user input for the destination. This can usually be done. In this case, you should have a method to validate a URL.
  • If user input can’t be avoided, ensure that the supplied value is valid, appropriate for the application, and is authorized for the user.
  • It is recommended that any such destination input be mapped to a value, rather than the actual URL or portion of the URL, and that server side code translate this value to the target URL.
  • Sanitize input by creating a list of trusted URLs (lists of hosts or a regex).
  • Force all redirects to first go through a page notifying users that they are leaving your site, and have them click a link to confirm.

How Hdiv Can Help

Hdiv guarantees integrity (no modification) of all data generated by the server. This includes any malicious access trying to exploit this risk, because the vast majority of unvalidated redirects and forwards are based on server side data coming from combos or links and these are not exploitable with Hdiv.

Risk Covered

Hdiv flow control system controls all data generated at the server side, ensuring its integrity.

Since 2008 in productionSINCE 2008IN PRODUCTION
more than 128 countriesMORE THAN 128COUNTRIES
Fortune 500 companiesFORTUNE 500COMPANIES


The 7 Key Factors to Successful DevSecOps

Download Now



The 7 Key Factors to Successful DevSecOps

Download Now


Hdiv Detection (IAST) for Developers



The Best Protection Against OWASP Top 10 Risks



Agile protection: above and beyond the WAF

Read More