Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access.
The application uses forwards to route requests between different parts of the site. To facilitate this, some pages use a parameter to indicate where the user should be sent if a transaction is successful.
In this case, the attacker crafts a URL that will bypass the application’s access control check and then forwards the attacker to administrative functionality for which the attacker isn’t authorized.
http://www.example.com/boring.jsp?fwd=admin.jsp
Open redirects can even introduce XSS, depending on the circumstances (for example, if the victim's browser supports redirecting to the data: or javascript: protocols).
Safe use of redirects and forwards can be made in a number of ways:
Hdiv guarantees integrity (no modification) of all data generated by the server. This includes any malicious access trying to exploit this risk, because the vast majority of unvalidated redirects and forwards are based on server side data coming from combos or links and these are not exploitable with Hdiv.
Risk Covered
