Input Validation / Open Redirection

Description

Open redirection is an input validation vulnerability which is defined in the CWE directory as a type of 'CWE-601: URL Redirection to Untrusted Site (Open Redirection)'. It occurs when an application that accepts a user-controlled input redirects the user to an external untrusted website. This vulnerability is commonly found in web and API applications. It can be exploited by attackers to redirect a user from a legitimate website to a malicious website, allowing the attacker to steal the user’s credentials or other sensitive information. The OWASP Testing Guide has a section dedicated to open redirection techniques and test cases.

Risk

Open redirection vulnerabilities can be used by attackers to launch phishing attacks, which present a high risk to organizations. Attackers can use open redirection to trick unsuspecting users into visiting malicious websites, where they could be tricked into giving up their credentials or other sensitive information. In addition, open redirection can be used to conduct cross-site scripting (XSS) attacks, which can be used to inject malicious code into an application.

Solution

The best way to prevent open redirection is to ensure that all user-controlled inputs are validated before being used in any redirects. This can be done by validating the input against a whitelist of approved URLs and rejecting any input that does not match. Additionally, any user-controlled input should be encoded to prevent malicious input from being passed to the application.