Redirection with Body
An HTTP redirection (3XX status code) does not require a body. The presence of the body in a redirection HTTP response indicates execution of code after redirection. Redirection with a body can cause serious information leakage or expose access to sensitive functionalities. For example, consider an admin page that redirects unauthorized users to a login page. Without proper implementation of the redirection function, the response can show the admin page contents with all links and functionalities to an unauthorized user.
Exit the code execution routine after redirection.
In PHP code call
die() after redirection.
In ASP.NET use
Response.Redirect("redirected-page.aspx", false) to redirect user.
👉 You might also like:
Directory Listing of Sensitive Files - Vulnerability
Directory Listing - Vulnerability
Email Address Disclosure - Vulnerability
Hidden Resource in Robots.txt - Vulnerability
Last updated on July 07, 2021