Input Validation / Form Action Hijacking (Reflected)

Description

Form action hijacking (reflected) is a type of input validation vulnerability in web and API applications that occurs when user-supplied input is not properly validated or sanitized. This type of attack occurs when an attacker uses malicious user input to modify the action attribute of a form element. This allows the attacker to hijack the form submission and send it to a malicious site. As a result, the user’s data is sent to the attacker instead of the intended destination. This vulnerability was assigned CWE-502 on the Common Weakness Enumeration (CWE) directory and is listed in the OWASP Testing Guide.

Risk

Form action hijacking (reflected) can lead to data leakage and other security issues. If an attacker is successful, they can access sensitive data, such as passwords and token values, that are sent from the form. This vulnerability can also be used to conduct phishing attacks, redirect users to malicious sites, or even execute malicious code on the user's system. The risk of this vulnerability is high and should be addressed as soon as possible.

Solution

To address this vulnerability, the application should validate and sanitize user-supplied input. This can be done by limiting the length of the input, validating the format of the input, and rejecting any input that is not expected. Additionally, the application should use Anti-CSRF tokens to protect against CSRF attacks.