Input Validation / Form Action Hijacking (Reflected)

Web and API


Form action hijacking (reflected) is a type of input validation vulnerability in web and API applications that occurs when user-supplied input is not properly validated or sanitized. This type of attack occurs when an attacker uses malicious user input to modify the action attribute of a form element. This allows the attacker to hijack the form submission and send it to a malicious site. As a result, the user’s data is sent to the attacker instead of the intended destination. This vulnerability was assigned CWE-502 on the Common Weakness Enumeration (CWE) directory and is listed in the OWASP Testing Guide.


Form action hijacking (reflected) can lead to data leakage and other security issues. If an attacker is successful, they can access sensitive data, such as passwords and token values, that are sent from the form. This vulnerability can also be used to conduct phishing attacks, redirect users to malicious sites, or even execute malicious code on the user's system. The risk of this vulnerability is high and should be addressed as soon as possible.


To address this vulnerability, the application should validate and sanitize user-supplied input. This can be done by limiting the length of the input, validating the format of the input, and rejecting any input that is not expected. Additionally, the application should use Anti-CSRF tokens to protect against CSRF attacks.


For example, the following code is vulnerable to a form action hijacking attack.

<form action="<?php echo $_POST['redirect_url'];?>">
  <input type="text" name="username" />
  <input type="password" name="password" />
  <input type="submit" value="Submit" />

In this example, the form action attribute is set to the value of the redirect_url parameter, which is supplied by the user. This allows an attacker to modify the form action and hijack the form submission.

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.