Unsafe Redirect

Severity: Medium
Test name: Unsafe Redirect
Test ID: unvalidated_redirect
Summary

An unvalidated redirect occurs when a web application causes the user's browser to navigate to an external URL without verifying the legitimacy of that URL. This issue arises if the application dynamically generates redirects based on URLs from untrusted sources. Attackers can exploit this by altering the untrusted URL input to redirect users to a malicious site, potentially executing a phishing attack to pilfer user credentials. Below is an illustrative example of how an attacker might construct a URL to exploit this vulnerability:

http://www.your_web_site.com/redirect?url=http://dangerous_web_site.com
Impact

This vulnerability allows attackers to bypass protection mechanisms, gain privileges, or assume identity.

Location
  • The issue can be found in the source code on the server side.
  • The issue can be found in the source code on the client side.
Remedy suggestions

The best solution to avoid unvalidated redirects is not to use any redirects or forwards. However, if the website or web application cannot function properly without redirects or forwards, there is several ways how to handle them safely:

  • If you have a limited number of the destination URLs to redirect, all of them can be stored in long time storage (for example, database) with specific identifiers. Such identifiers can be used as request parameters that redirect to the relevant URL.
  • If it is impossible to list destination pages and user input cannot be avoided, ensure that the supplied value is valid, appropriate for the application, and authorized for the user.
    • Sanitize the input by creating a list of trusted URLs (lists of hosts or a regex). Use the whitelist approach.
    • Remove the hostname from the redirection URL so it may only redirect to a different path on the same domain as the application.
  • Lead all redirects to a notification message / special page with the information that the user is leaving your site. So that the user should confirm the redirect.
Classifications
  • CWE-601
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N