Unvalidated Redirect
Description
Unvalidated redirects occur when an application redirects a user to a destination URL specified by a user-supplied parameter that is not validated, which can be used to facilitate phishing attacks.
Examples
Insecure Code
java
response.sendRedirect(request.getParameter("url"));Secure Code
java
if (safeUrls.contains(redirectUrl)) { response.sendRedirect(redirectUrl); } else { response.sendRedirect("/errorPage"); }Remediation
Only allow redirection to URLs that are pre-defined in a safe list, and check if the requested URL is in this safe list before proceeding with the redirection.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0701 |
| Category | Web |
| Severity | HIGH |
| CWE | CWE-601 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | Open Redirect, Phishing |
| OWASP | A1:2017-Injection, A03:2021-Injection |