HTML Form found in redirect page
Description
Manual confirmation is required for this alert.
An HTML form has been detected in a page that issues an HTTP redirect (301/302 status code). While browsers automatically follow redirects and never display the form to users, the underlying HTML content remains accessible to direct HTTP requests. This configuration often indicates incomplete access control implementation, where developers rely solely on redirection for security without properly terminating script execution. Attackers using tools that don't follow redirects (such as curl, Burp Suite, or custom HTTP clients) can access and interact with the hidden form, potentially bypassing authentication or authorization checks.
Remediation
Implement proper server-side access control by terminating script execution immediately after issuing a redirect. Never rely on HTTP redirects alone for security.
Specific remediation steps:
1. Add explicit script termination: Always call exit(), die(), or equivalent functions immediately after sending redirect headers to prevent further code execution.
2. Implement proper access control: Verify user permissions before processing any sensitive operations, not just before redirecting.
3. Review all redirect locations: Audit your codebase for redirect statements and ensure each is followed by script termination.
Example fix for PHP:
<?php
// BEFORE (Vulnerable):
if (!isset($_SESSION["authenticated"])) {
header("Location: auth.php");
// Script continues executing - VULNERABLE
}
// AFTER (Secure):
if (!isset($_SESSION["authenticated"])) {
header("Location: auth.php");
exit(); // Terminate script execution immediately
}
?>For other frameworks:
- ASP.NET: Use
Response.Redirect(url, true) where the second parameter terminates execution- Node.js/Express: Return immediately after
res.redirect()- Java: Call
return; after setting redirect headersAdditionally, implement defense-in-depth by adding proper authentication checks at the beginning of every protected page, independent of redirect logic.