Unvalidated redirects and forwards is the tenth most critical security issue for web applications according to OWASP; it happens when an application takes a URL or an internal page as a parameter to perform a redirect or forward operation. If the parameter is not correctly validated, an attacker could abuse it making it to redirect to a malicious Web site.
In this recipe we will see how to validate that the parameter we receive for redirection or forwarding is the one that we intend to have when we develop the application.
- Don't want to be vulnerable? Don't use it. Whenever it's possible, avoid the use of redirects and forwards.
- If it is necessary to make a redirection, try not to use user-provided parameters (request variables) to calculate the destination.
- If the use of parameters is required, implement a table that works as a catalog of redirections, using an ID instead of a URL as the parameter the user should provide.
- Always validate the inputs that will be involved in a redirect or forward operation; use regular expressions or whitelists to check that the value provided is a valid one.
Redirects and forwards are one of the favorite tools of phishers and other social engineers and sometimes we don't have any control over the security of the destination; so, even when it is not our application, a security compromise on that part may affect us in terms of reputation. That's why the best choice is not to use them.
If the said redirect is to a known site, such as Facebook or Google, it is possible that we can establish the destinations in a configuration file or a database table and have no need of a client-provided parameter to do it.
If we build a database table containing all the allowed redirect and forward URLs, each one with an ID, we can ask for the ID as parameter instead of the destination itself. This is a form of whitelist that prevents the insertion of forbidden destinations.
Finally, and again, validation. It is very important that we always validate every input from the client, as we don't know what we can expect from our users. If we validate correctly the destination of a redirect, we can prevent, besides a malicious forward or redirect, a possible SQL Injection, XSS, or Directory Traversal. Hence, it's relevant.