Unvalidated redirects and forwards is defined as a web application accepts untrusted input that could cause the web application to redirect the request to untrusted website.
By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.
Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages.
Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
What is the problem over here?
Example: 1(php code) Dangerous URL Redirects
$redirect_url = $_GET [‘url’];
Header (“Location: “. $redirect_url);
Example:2(.net code) Dangerous URL Redirects
String url =request.QueryString [“url”];
Response. Redirect (url);
By using Scripts also we can redirect the page if that URL having dynamic attribute eg? Id=? Search= Attacker can encode the script in URL format by using burp suit encode and add it in the URL
Example: in side the script tag window.location=”www.example.com” it is in clear text Attacker will encode this script as %3c%53%43%52%49%50%54%3e%77%69%6e%64%6f%77%2e%6c%6f%63%61%74%69%6f%6e%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%22%3c%2f%53%43%52%49%50%54%3e The above code is equivalent to window.location=www.example.com
- Don’t blindly redirect to URLs on the server side
Make sure you validate values assigned to location-
Related properties from client side java script.
Force all redirects to first go through a page notifying
users that they are going off of your site, and have them
Click a link to confirm.
If destination parameters can’t be avoided, ensure that
the supplied value is valid, and authorized for the user.