Input Validation / Form Action Hijacking (Stored)
Form action hijacking (stored) is a type of input validation vulnerability that occurs when user-supplied data is used to dynamically construct a URL or form action without proper validation or sanitization. This type of attack is also referred to as an open redirect attack. This vulnerability is classified as CWE-601 in the Common Weakness Enumeration (CWE) directory and is listed in the OWASP Testing Guide as an input validation vulnerability.
Form action hijacking (stored) can pose a serious security risk as attackers can use a misconfigured form action to redirect unsuspecting users to malicious websites. Such a vulnerability can be exploited for phishing attacks and the theft of credentials and other sensitive information.
To prevent form action hijacking (stored), it is important to ensure that all user-supplied data is properly validated and sanitized before being used to dynamically construct a form action. This can be achieved by using whitelists or blacklisting certain characters and strings. Additionally, the form action should be checked to ensure that it is not pointing to a malicious website.
A web application uses user-supplied data to construct a form action without proper validation:
<form action="<?php echo $_GET['redirect_url']; ?>"> <input type="submit" value="Submit"> </form>
In this example, attackers can manipulate the
redirect_url parameter to point to a malicious website.