Unvalidated redirects and forwards is the tenth most critical security issue for web applications according to OWASP; it happens when an application takes a URL or an internal page as a parameter to perform a redirect or forward operation. If the parameter is not correctly validated, an attacker could abuse it making it to redirect to a malicious Web site.
In this recipe we will see how to validate that the parameter we receive for redirection or forwarding is the one that we intend to have when we develop the application.
Redirects and forwards are one of the favorite tools of phishers and other social engineers and sometimes we don't have any control over the security of the destination; so, even when it is not our application, a security compromise on that part may affect us in terms of reputation. That's why the best choice is not to use them.
If the said redirect is to a known site, such as Facebook or Google, it is possible that we can establish the destinations in a configuration file or a database table and have no need of a client-provided parameter to do it.
If we build a database table containing all the allowed redirect and forward URLs, each one with an ID, we can ask for the ID as parameter instead of the destination itself. This is a form of whitelist that prevents the insertion of forbidden destinations.
Finally, and again, validation. It is very important that we always validate every input from the client, as we don't know what we can expect from our users. If we validate correctly the destination of a redirect, we can prevent, besides a malicious forward or redirect, a possible SQL Injection, XSS, or Directory Traversal. Hence, it's relevant.
3.141.3.175