Unvalidated redirects and forwards is defined as a web application accepts untrusted input that could cause the web application to redirect the request to untrusted website.

By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages.

Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

What is the problem over here?

The problem is that JavaScript sets document. Location or does some other kinds of redirect to a URL under the attackers control. The attacker can use this to launch attacks towards the user, who is more likely to click the link, because the hostname is to a trusted site.

Example: 1(php code) Dangerous URL Redirects

$redirect_url = $_GET [‘url’];
Header (“Location: “. $redirect_url);
Example:2(.net code) Dangerous URL Redirects
String url =request.QueryString [“url”];
Response. Redirect (url);

By using Scripts also we can redirect the page if that URL having dynamic attribute eg? Id=? Search= Attacker can encode the script in URL format by using burp suit encode and add it in the URL

Example: in side the script tag window.location=”www.example.com” it is in clear text Attacker will encode this script as %3c%53%43%52%49%50%54%3e%77%69%6e%64%6f%77%2e%6c%6f%63%61%74%69%6f%6e%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%22%3c%2f%53%43%52%49%50%54%3e The above code is equivalent to window.location=www.example.com


  • Don’t blindly redirect to URLs on the server side
  • Make sure you validate values assigned to location-
    Related properties from client side java script.
  • Force all redirects to first go through a page notifying
    users that they are going off of your site, and have them
    Click a link to confirm.
  • If destination parameters can’t be avoided, ensure that
    the supplied value is valid, and authorized for the user.