| Details | |
|---|---|
| Alert ID | 10028 |
| Alert Type | Passive |
| Status | release |
| Risk | High |
| CWE | 601 |
| WASC | 38 |
| Technologies Targeted | All |
| Tags |
CWE-601 OWASP_2017_A01 OWASP_2021_A03 POLICY_DEV_STD POLICY_PENTEST POLICY_QA_STD WSTG-V42-CLNT-04 |
| More Info |
Scan Rule Help |
Summary
Open redirects are one of the OWASP 2010 Top Ten vulnerabilities. This check looks at user-supplied input in query string parameters and POST data to identify where open redirects might be possible. Open redirects occur when an application allows user-supplied input (e.g. https://nottrusted.com) to control an off-site destination. This is generally a pretty accurate way to find where 301 or 302 redirects could be exploited by spammers or phishing attacks.
For example an attacker could supply a user with the following link: https://example.com/example.php?url=https://malicious.example.com.
NOTE: For the purposes of the passive check the authority portion of the origin and destination were compared. Manual testing may be required to validate the impact of this finding.
Solution
To avoid the open redirect vulnerability, parameters of the application script/program must be validated before sending 302 HTTP code (redirect) to the client browser. Implement safe redirect functionality that only redirects to relative URI's, or a list of trusted domains.Other Info
The 301 or 302 response to a request for the following URL appeared to contain user input in the location header: https://example.com/transact The user input found was: place=evil.com The context was: http://evil.comReferences
- https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
- https://cwe.mitre.org/data/definitions/601.html