Input Validation / Form Action Hijacking (Stored)

Description

Form action hijacking (stored) is a type of input validation vulnerability that occurs when user-supplied data is used to dynamically construct a URL or form action without proper validation or sanitization. This type of attack is also referred to as an open redirect attack. This vulnerability is classified as CWE-601 in the Common Weakness Enumeration (CWE) directory and is listed in the OWASP Testing Guide as an input validation vulnerability.

Risk

Form action hijacking (stored) can pose a serious security risk as attackers can use a misconfigured form action to redirect unsuspecting users to malicious websites. Such a vulnerability can be exploited for phishing attacks and the theft of credentials and other sensitive information.

Solution

To prevent form action hijacking (stored), it is important to ensure that all user-supplied data is properly validated and sanitized before being used to dynamically construct a form action. This can be achieved by using whitelists or blacklisting certain characters and strings. Additionally, the form action should be checked to ensure that it is not pointing to a malicious website.