Unvalidated Redirects and Forwards

Web applications regularly redirect and forward users to other pages or websites and use doubtful data to determine the destination pages. Without proper authentication attackers can redirect victims to phishing or malware sites.

Example

This application has a page called “redirect.jsp” which takes a single parameter called “url”. The attacker makes a malicious URL that redirects users to a malicious site evil.com that performs phishing and installs malware.

        http://www.test.com/redirect.jsp?url=evil.com

    

Impact

Unvalidated Redirects and Forwards redirects may attempt to install malware or trick victims into exposeing passwords or other sensitive information. Unsafe forwards may allow attacker to bypass access control bypass.

Mitigation / Precaution

  • Avoid using redirects and forwards.

  • If used do not use user parameters in finding the destination.

  • If destination parameter are mandatory ensure that the supplied value is valid.

Related Articles