Unvalidated Redirects and Forwards

OWASP 2013-A10 OWASP 2017-A6 CWE-601 ISO27001-A.14.2.5 WASC-38

Web applications regularly redirect and forward users to other pages or websites and use doubtful data to determine the destination pages. Without proper authentication attackers can redirect victims to phishing or malware sites.


This application has a page called “redirect.jsp” which takes a single parameter called “url”. The attacker makes a malicious URL that redirects users to a malicious site evil.com that performs phishing and installs malware.




Unvalidated Redirects and Forwards redirects may attempt to install malware or trick victims into exposeing passwords or other sensitive information. Unsafe forwards may allow attacker to bypass access control bypass.

Mitigation / Precaution

  • Avoid using redirects and forwards.

  • If used do not use user parameters in finding the destination.

  • If destination parameter are mandatory ensure that the supplied value is valid.

Related Articles