Redirects to HTTPS eventually, but initial redirection is to another HTTP URL

Published on
05 Jun 2018
Client Side URL Redirect

When a web application initially redirects to an HTTP URL and then redirects to HTTPS eventually. The attacker can easily exploit this vulnerability for a successful attack and can be redirected to a different host without any proper validation of user parameters. An attacker can execute this attack by adding an untrusted URL input to a malicious site. The attacker can easily launch a phishing scam to steal user credentials from the application. As the server name in the modified link is identical to the original site, phishing attempts will give a legit appearance on the Internet.


Using this vulnerability, an attacker can:-

  • redirect the user to a malicious site to steal information/data.
  • show user false data which will, in turn, affect the credibility of the website.

Mitigation / Precaution

Beagle recommends the following:-

  • Remove redirect from the application.
  • Disable HTTP completely from the application.
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Co-founder, Director
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment