When a web application accepts untrusted input, the web application may redirect the request to a URL included inside the untrusted input. An attacker can successfully conduct a phishing scheme and steal user credentials by changing untrusted URL input to a malicious site.
Because the server name in the changed URL is the same as the original site’s, phishing efforts may look more trustworthy. Unvalidated redirect and forward attacks may also be used to maliciously design a URL that passes the application’s access control check and then redirect the attacker to privileged functionality that they would not ordinarily be allowed to access.
Redirections to Safe URLs
When we wish to automatically redirect a user to another page (without the visitor doing any action, such as clicking on a hyperlink), we may use the following code:
Java
response.sendRedirect("http://www.mysite.com");
PHP
<?php
/* Redirect browser */
header("Location: http://www.mysite.com");
/* Exit to prevent the rest of the code from executing */
exit;
?>
ASP .NET
Response.Redirect("~/folder/Login.aspx")
Rails
redirect_to login_path
In the above cases, the URL is explicitly specified in the code and so cannot be altered by an attacker.
Preventing Unvalidated Redirects and Forwards
There are several methods to use redirects and forwards safely:
- Simply prevent from utilizing redirects and forwards.
- Allowing the URL as user input for the destination is not permitted if it is utilized.
- Allow the user to supply a short name, ID, or token that is mapped server-side to the complete destination URL wherever feasible.
- This gives the greatest level of security against an attack that tampers with the URL.
- Take care not to add an enumeration vulnerability, in which a user might cycle through IDs to identify all potential redirect targets.
- If user input is unavoidable, make certain that the value given is accurate, acceptable for the app, and approved for the user.
- Create a list of trustworthy URLs to sanitize input (lists of hosts or a regex).
- Instead of a block list, this should be built on an allow-list approach.
- All redirects must first travel via a page telling users that they are leaving your site, with the destination clearly stated, and require them to click a link to confirm.
ZOFixer.com security scan helps to find this vulnerability in your web application, you can easily use it by registering on our website and activating the 30-day trial.