Unvalidated Document Object Model redirection

OWASP 2013-A10 OWASP 2017-A6 OWASP 2021-A5 OWASP PC-C1 CWE-601 WASC-38

Document Object Model based open redirection occurs when a script writes controllable data into the target of a redirection in an unsecured way. An attacker can use this vulnerability to construct a custom URL. If the URL is visited by another application user, it will cause a redirection to a target external domain. This web application uses Document Object Model input values to store the address of the page in which the client is to be redirected. An unvalidated redirection can occur when the attacker is able to modify the affected parameter value and can control the location of the redirection.


This vulnerability can has the following impacts:-

  • Data phishing
  • The attacker can steal information from end-users
  • The attacker can pursue the end-user into downloading malicious files

Mitigation / Precaution

This vulnerability can be fixed by:-

  • Applying proper authentication on the client side code.
  • Using the whitelisted parameters as the parameter values.

Latest Articles