Unvalidated Redirects and Forwards

Rejah Rehim
Published on
24 Jun 2018

Web applications regularly redirect and forward users to other pages or websites and use doubtful data to determine the destination pages. Without proper authentication attackers can redirect victims to phishing or malware sites.


This application has a page called “redirect.jsp” which takes a single parameter called “url”. The attacker makes a malicious URL that redirects users to a malicious site evil.com that performs phishing and installs malware.




Unvalidated Redirects and Forwards redirects may attempt to install malware or trick victims into exposeing passwords or other sensitive information. Unsafe forwards may allow attacker to bypass access control bypass.

Mitigation / Precaution

  • Avoid using redirects and forwards.

  • If used do not use user parameters in finding the destination.

  • If destination parameter are mandatory ensure that the supplied value is valid.

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Rejah Rehim
Rejah Rehim
Co-founder, Director
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.