Unvalidated Redirection

Impact: High

Description

Unvalidated redirects and forwards occur when a web application accepts untrusted input that could redirect the user to a URL provided within the input. Attackers exploit this vulnerability by manipulating the URL input to redirect users to malicious sites, leading to phishing scams and credential theft.

Recommendation

To prevent unvalidated redirection attacks, implement a mapping between user input and redirection targets. Utilize whitelists to validate user input for redirection. If validation fails, notify the user before redirection to ensure they are aware of the destination.

References

CWE-601
OWASP 2021-A1
OWASP: Phishing
OWASP: Unvalidated Redirects and Forwards Cheat Sheet

👉 You might also like:

Unvalidated Redirection

Description

Recommendation

References

Open Redirection In URL - CVE-2018-14574

These 7 PHP mistakes leave your website open to the hackers

Better Passive Vulnerability Testing with SmartScanner version 1.7

No Redirection from HTTP to HTTPS - Vulnerability

This issue is available in SmartScanner Professional