Vulnerabilities/

Unvalidated Redirection

Severity:: High

Description

Unvalidated redirects and forwards occur when a web application accepts untrusted input that could redirect the user to a URL provided within the input. Attackers exploit this vulnerability by manipulating the URL input to redirect users to malicious sites, leading to phishing scams and credential theft.

Recommendation

To prevent unvalidated redirection attacks, implement a mapping between user input and redirection targets. Utilize whitelists to validate user input for redirection. If validation fails, notify the user before redirection to ensure they are aware of the destination.

References

OWASP: Unvalidated Redirects and Forwards Cheat Sheet
OWASP: Phishing
CWE-601
CAPEC-194
OWASP 2021-A1

Related Issues

Open Redirection In URL - CVE-2018-14574
No Redirection from HTTP to HTTPS - Vulnerability
Redirection with Body - Vulnerability
User Controllable URL - Vulnerability

Tags:: URL Redirection; Phishing

Anything's wrong? Let us know Last updated on May 13, 2024