Untrusted user input in response header('Location') can result in Open Redirect vulnerability
Description
Passing untrusted user input in `redirect()` can result in an open redirect vulnerability. This could be abused by malicious actors to trick users into being redirected to websites under their control to capture authentication information.
Examples
Insecure Code
javascript
app.get('/redirect/:url', (req, res) => { res.location(req.params.url).status(302).end(); });Secure Code
javascript
const allowedUrls = ['https://www.example.com/page1', 'https://www.example.com/page2', 'https://secure.example.com/page3']; app.get('/redirect/:url', (req, res) => { const url = decodeURIComponent(req.params.url); const isAllowed = allowedUrls.includes(url); if (isAllowed) { res.location(url).status(302).end(); } else { res.status(400).send('Invalid redirect URL'); } });Remediation
Always validate and sanitize user inputs, especially URL parameters or query strings that may influence the flow of the application. Use allowlists (lists of permitted URLs) to validate redirect targets against known, trusted URLs before performing the redirect.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0409 |
| Category | Web |
| Severity | CRITICAL |
| CWE | CWE-601 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | Open Redirect, Untrusted Input |
| OWASP | A1:2017-Injection, A03:2021-Injection |