image
Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access. Java : response.sendRedirect("http://www.mysite.com"); PHP : <?php /* Redirect browser */ header("Location: http://www.mysite.com"); ?> ASP .NET : Response.Redirect("~/folder/Login.aspx") Rails : redirect_to login_path In the examples above, the URL is being explicitly declared in the code and cannot be manipulated by an attacker. Dangerous URL Redirects The following examples demonstrate unsafe redirect and forward code. Dangerous URL Redirect Example 1 The following Java code receives the URL from the parameter named url (GET or POST) and redirects to that URL: response.sendRedirect(request.getParameter("url")); The following PHP code obtains a URL from the query string (via the parameter named url) and then redirects the user…