Information Leakage / Long Redirection Response

Description

Long redirection response is an information leakage vulnerability that occurs in web and API applications. This vulnerability is identified in the CWE directory as CWE-601: URL Redirection to Untrusted Site ('Open Redirect'). It is defined as a security issue where an attacker can use a vulnerable web application to redirect users to an untrusted site, allowing the attacker to steal user credentials or other sensitive data. This vulnerability is commonly found in web applications that use an open redirection response, where a user is redirected to a URL that is not hard-coded or validated by the application. The OWASP Testing Guide provides further guidance on how to test for this vulnerability.

Risk

Long redirection response can lead to serious consequences such as user credential theft, phishing attacks, spam, and malicious content. It also can lead to a user’s browser being exposed to malicious code. This vulnerability has a high risk assessment due to the potential of a malicious actor gaining access to user data.

Solution

To mitigate this vulnerability, organizations should ensure that all URLs used for redirection are hard-coded and validated by the application. Organizations should also ensure that their web and API applications never accept an open redirection response from user input. Additionally, organizations should use proper authentication and authorization mechanisms to ensure that only valid users can access the application.