Open Redirection

Description

This endpoint accepts user-controlled input that is used to redirect visitors to external URLs without proper validation. Open redirection vulnerabilities occur when an application accepts untrusted input to control the destination of a redirect, allowing attackers to craft malicious links that appear legitimate but redirect users to attacker-controlled sites. This vulnerability is commonly exploited in phishing campaigns where attackers leverage the trusted domain to deceive users.

Remediation

Implement strict validation and sanitization of all user-supplied input used in redirects. Follow these steps to remediate this vulnerability:

1. Use an allowlist approach: Maintain a list of approved redirect destinations and only allow redirects to URLs on this list.

2. Avoid user-controlled redirects: Where possible, use indirect references (such as numeric IDs) instead of accepting full URLs as parameters.

3. Validate redirect URLs: If you must accept URLs, validate that they match your domain or approved external domains.

Example (Java):

// Bad - Vulnerable to open redirect
String url = request.getParameter("redirect");
response.sendRedirect(url);

// Good - Allowlist validation
String redirect = request.getParameter("redirect");
List<String> allowedUrls = Arrays.asList("/home", "/profile", "/dashboard");
if (allowedUrls.contains(redirect)) {
    response.sendRedirect(redirect);
} else {
    response.sendRedirect("/home"); // Default safe location
}

// Bad - Vulnerable to open redirect
$redirect = $_GET['url'];
header("Location: " . $redirect);

// Good - Validate against allowed domains
$redirect = $_GET['url'];
$parsed = parse_url($redirect);
$allowedHosts = ['example.com', 'www.example.com'];

if (isset($parsed['host']) && in_array($parsed['host'], $allowedHosts)) {
    header("Location: " . $redirect);
} else {
    header("Location: /home");
}

References

Related Vulnerabilities