Authentication / Request URL Override

Web and API


Request URL override is an authentication vulnerability (CWE-287) in Web and API applications. It occurs when a server is not properly validating URLs, and allows an attacker to bypass authentication and gain access to restricted resources. This vulnerability is explained in the OWASP Testing Guide, in the chapter on authentication testing.


The risk of this vulnerability is high, as the malicious user can gain access to data or resources without having to authenticate, thus bypassing the security measures put in place by the application.


To mitigate the risk of this vulnerability, the server should validate the URLs and limit access to authenticated users. Additionally, it is important to ensure that the URL is always validated, including when the user is requesting a resource from a different domain.


For example, the issue CVE-2018-14773 is caused by inadequate URL validation which allowed an attacker to bypass authentication and access sensitive information.

if (isset($_GET['url'])) {
    $url = $_GET['url'];
    header('Location: '.$url);

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.