Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. OWASP
Use a mapping between user input and redirection target. You can also use a white-list for user input. If none is applicable, notify the user before redirection.
- OWASP: Unvalidated Redirects and Forwards Cheat Sheet
- OWASP 2013-A10
- OWASP 2021-A1
- OWASP 2021-A3