Redirection with Body

Description

An HTTP redirection (3XX status code) typically does not include a body. However, if a body is present in the redirection response, it indicates that code execution continues after the redirection. This can lead to information leakage or expose access to sensitive functionalities. For instance, an improperly implemented redirection may reveal admin page contents to unauthorized users, compromising security.

Recommendation

To mitigate this risk:

• Ensure that code execution halts after redirection.
• In PHP, use exit() or die() after redirection.
• In ASP.NET, use Response.Redirect("redirected-page.aspx", false) to redirect users without continuing code execution.

References

• CWE-200
• CWE-698
• OWASP 2021-A5