User-controlled form action
Description
This vulnerability occurs when user-supplied input directly controls the action attribute of an HTML form without proper validation. The action attribute determines where form data is submitted when users click the submit button. An attacker can manipulate this parameter through URL parameters or other input mechanisms to redirect form submissions to a malicious server under their control, allowing them to capture sensitive information that users believe they are submitting to a legitimate destination.
Remediation
Implement strict server-side validation and sanitization of all user input that could influence form action attributes. Follow these steps to remediate this vulnerability:
1. Never use user input directly in form action attributes. Use hardcoded, server-defined URLs or validate against a whitelist of allowed destinations.
2. Implement server-side validation: If dynamic form actions are required, validate the destination URL against a strict whitelist of allowed domains and paths.
Example of secure implementation:
// Insecure - DO NOT USE
<form action="" method="POST">
// Secure - Use whitelist validation
<?php
$allowed_actions = [
'/submit-form',
'/process-payment',
'/update-profile'
];
$action = $_GET['redirect'] ?? '/submit-form';
if (!in_array($action, $allowed_actions, true)) {
$action = '/submit-form'; // Default safe action
}
?>
<form action="<?php echo htmlspecialchars($action, ENT_QUOTES, 'UTF-8'); ?>" method="POST">
3. Use relative URLs: Prefer relative paths over absolute URLs to prevent redirection to external domains.
4. Implement Content Security Policy (CSP): Configure CSP headers to restrict form submission destinations using the form-action directive.