Input Validation / Open Redirection
Open redirection is an input validation vulnerability which is defined in the CWE directory as a type of 'CWE-601: URL Redirection to Untrusted Site (Open Redirection)'. It occurs when an application that accepts a user-controlled input redirects the user to an external untrusted website. This vulnerability is commonly found in web and API applications. It can be exploited by attackers to redirect a user from a legitimate website to a malicious website, allowing the attacker to steal the user’s credentials or other sensitive information. The OWASP Testing Guide has a section dedicated to open redirection techniques and test cases.
Open redirection vulnerabilities can be used by attackers to launch phishing attacks, which present a high risk to organizations. Attackers can use open redirection to trick unsuspecting users into visiting malicious websites, where they could be tricked into giving up their credentials or other sensitive information. In addition, open redirection can be used to conduct cross-site scripting (XSS) attacks, which can be used to inject malicious code into an application.
The best way to prevent open redirection is to ensure that all user-controlled inputs are validated before being used in any redirects. This can be done by validating the input against a whitelist of approved URLs and rejecting any input that does not match. Additionally, any user-controlled input should be encoded to prevent malicious input from being passed to the application.
In this example, the application is vulnerable to open redirection because the user-controlled input is not being validated before being used in the redirect.
HTTP/1.1 302 Found Location: http://www.example.com?url=<user_input>