When a web application initially redirects to an HTTP URL and then redirects to HTTPS eventually. The attacker can easily exploit this vulnerability for a successful attack and can be redirected to a different host without any proper validation of user parameters. An attacker can execute this attack by adding an untrusted URL input to a malicious site. The attacker can easily launch a phishing scam to steal user credentials from the application. As the server name in the modified link is identical to the original site, phishing attempts will give a legit appearance on the Internet.
Using this vulnerability, an attacker can:-
Beagle recommends the following:-