Unvalidated Redirect
Description
Unvalidated redirects occur when an application redirects a user to a destination URL specified by a user-supplied parameter that is not validated. Such vulnerabilities can be used to facilitate phishing attacks.
Examples
Insecure Code
scala
response.sendRedirect(request.getParameter("url"))Secure Code
scala
response.sendRedirect(validateAndEncodeUrl(request.getParameter("url")))Remediation
Validate user-supplied parameters before using them in redirects. Use a whitelist of allowed URLs or ensure that the URL is properly encoded.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0034 |
| Category | Web |
| Severity | HIGH |
| CWE | CWE-601 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | redirect, phishing |
| OWASP | N/A |