Unvalidated Document Object Model redirection

Febna V M
Published on
29 Jun 2018

Document Object Model based open redirection occurs when a script writes controllable data into the target of a redirection in an unsecured way. An attacker can use this vulnerability to construct a custom URL. If the URL is visited by another application user, it will cause a redirection to a target external domain. This web application uses Document Object Model input values to store the address of the page in which the client is to be redirected. An unvalidated redirection can occur when the attacker is able to modify the affected parameter value and can control the location of the redirection.


This vulnerability can has the following impacts:-

  • Data phishing
  • The attacker can steal information from end-users
  • The attacker can pursue the end-user into downloading malicious files

Mitigation / Precaution

This vulnerability can be fixed by:-

  • Applying proper authentication on the client side code.
  • Using the whitelisted parameters as the parameter values.
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Febna V M
Febna V M
Cyber Security Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment