Redirection with Body
Impact: Low
Description
An HTTP redirection (3XX status code) does not require a body. The presence of the body in a redirection HTTP response indicates execution of code after redirection. Redirection with a body can cause serious information leakage or expose access to sensitive functionalities. For example, consider an admin page that redirects unauthorized users to a login page. Without proper implementation of the redirection function, the response can show the admin page contents with all links and functionalities to an unauthorized user.
Recommendation
Exit the code execution routine after redirection.
In PHP code call exit()
or die()
after redirection.
In ASP.NET use Response.Redirect("redirected-page.aspx", false)
to redirect user.
References
👉 You might also like:
Directory Listing of Sensitive Files - Vulnerability
Directory Listing - Vulnerability
Email Address Disclosure - Vulnerability
Hidden Resource in Robots.txt - Vulnerability
Last updated on July 07, 2021