Vulnerabilities/

Redirection with Body

Impact: Low

Description

An HTTP redirection (3XX status code) does not require a body. The presence of the body in a redirection HTTP response indicates execution of code after redirection. Redirection with a body can cause serious information leakage or expose access to sensitive functionalities. For example, consider an admin page that redirects unauthorized users to a login page. Without proper implementation of the redirection function, the response can show the admin page contents with all links and functionalities to an unauthorized user.

Recommendation

Exit the code execution routine after redirection. In PHP code call exit() or die() after redirection. In ASP.NET use Response.Redirect("redirected-page.aspx", false) to redirect user.

References

Last updated on July 07, 2021

Use SmartScanner Free version to test for this issue

Download