Unvalidated Redirection
Impact: High
Description
Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. OWASP
Recommendation
Use a mapping between user input and redirection target. You can also use a white-list for user input. If none is applicable, notify the user before redirection.
References
- OWASP: Unvalidated Redirects and Forwards Cheat Sheet
- CWE-601
- OWASP 2013-A10
- OWASP 2021-A1
- CWE-20
- OWASP 2021-A3
👉 You might also like:
Open Redirection In URL - CVE-2018-14574
Local File Inclusion - Vulnerability
Blind OS Command Execution - Vulnerability
Blind SQL Injection - Vulnerability
Last updated on February 15, 2021