Description
An HTTP redirection (3XX status code) typically does not include a body. However, if a body is present in the redirection response, it indicates that code execution continues after the redirection. This can lead to information leakage or expose access to sensitive functionalities. For instance, an improperly implemented redirection may reveal admin page contents to unauthorized users, compromising security.
Recommendation
To mitigate this risk:
- Ensure that code execution halts after redirection.
- In PHP, use
exit()
ordie()
after redirection. - In ASP.NET, use
Response.Redirect("redirected-page.aspx", false)
to redirect users without continuing code execution.