Input Validation / Form Action Hijacking (Stored)

Web and API


Form action hijacking (stored) is a type of input validation vulnerability that occurs when user-supplied data is used to dynamically construct a URL or form action without proper validation or sanitization. This type of attack is also referred to as an open redirect attack. This vulnerability is classified as CWE-601 in the Common Weakness Enumeration (CWE) directory and is listed in the OWASP Testing Guide as an input validation vulnerability.


Form action hijacking (stored) can pose a serious security risk as attackers can use a misconfigured form action to redirect unsuspecting users to malicious websites. Such a vulnerability can be exploited for phishing attacks and the theft of credentials and other sensitive information.


To prevent form action hijacking (stored), it is important to ensure that all user-supplied data is properly validated and sanitized before being used to dynamically construct a form action. This can be achieved by using whitelists or blacklisting certain characters and strings. Additionally, the form action should be checked to ensure that it is not pointing to a malicious website.

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.