https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=Robert+Hof
OWASP - User contributions [en]
2026-04-24T08:30:22Z
User contributions
MediaWiki 1.27.2
https://wiki.owasp.org/index.php?title=Open_redirect&diff=126435
Open redirect
2012-03-16T17:36:03Z
<p>Robert Hof: Undo revision 126434 by Robert Hof (talk)</p>
<hr />
<div>{{Template:Stub}}<br />
{{Template:Vulnerability}}<br />
<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''<br />
<br />
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]<br />
<br />
==Description==<br />
An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.<br />
<br />
'''Consequences'''<br />
<br />
[[Phishing]]<br />
<br />
'''Platform'''<br />
All web platforms affected<br />
<br />
<br />
==Risk Factors==<br />
<br />
TBD<br />
<br />
==Examples==<br />
<br />
http://www.vulnerable.com?redirect=http://www.attacker.com<br />
<br />
The phishing use can be more complex, using complex encoding:<br />
<br />
Real redirect: http://www.vulnerable.com/redirect.asp?=http://www.links.com<br />
<br />
Faked link: http://www.vulnerable.com/security/advisory/23423487829/../../../redirect.asp%3F%3Dhttp%3A//www.facked.com/advisory/system_failure/password_recovery_system<br />
<br />
==Related [[Attacks]]==<br />
<br />
* [[Attack 1]]<br />
* [[Attack 2]]<br />
<br />
<br />
==Related [[Vulnerabilities]]==<br />
<br />
* [[Open forward]]<br />
<br />
==Related [[Controls]]==<br />
<br />
* To avoid the open redirect vulnerability, parameters of the application script/program must be validated before sending 302 HTTP code (redirect) to the client browser.<br />
<br />
The server must have a relation of the authorized redirections (i.e. in a database).<br />
<br />
==Related [[Technical Impacts]]==<br />
<br />
* [[Technical Impact 1]]<br />
* [[Technical Impact 2]]<br />
<br />
<br />
==References==<br />
<br />
TBD<br />
<br />
[[Category:FIXME|add links<br />
<br />
In addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Vulnerability]]</nowiki><br />
<br />
Availability Vulnerability<br />
<br />
Authorization Vulnerability<br />
<br />
Authentication Vulnerability<br />
<br />
Concurrency Vulnerability<br />
<br />
Configuration Vulnerability<br />
<br />
Cryptographic Vulnerability<br />
<br />
Encoding Vulnerability<br />
<br />
Error Handling Vulnerability<br />
<br />
Input Validation Vulnerability<br />
<br />
Logging and Auditing Vulnerability<br />
<br />
Session Management Vulnerability]]<br />
<br />
__NOTOC__<br />
<br />
<br />
[[Category:OWASP ASDR Project]]<br />
[[Category:Vulnerability]]</div>
Robert Hof
https://wiki.owasp.org/index.php?title=Open_redirect&diff=126434
Open redirect
2012-03-16T17:34:59Z
<p>Robert Hof: The vulnerable.com website no longer exists as a worthwhile resource, it appears to have turned into a link farm placeholder.</p>
<hr />
<div>{{Template:Stub}}<br />
{{Template:Vulnerability}}<br />
<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''<br />
<br />
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]<br />
<br />
==Description==<br />
An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.<br />
<br />
'''Consequences'''<br />
<br />
[[Phishing]]<br />
<br />
'''Platform'''<br />
All web platforms affected<br />
<br />
<br />
==Risk Factors==<br />
<br />
TBD<br />
<br />
==Examples==<br />
<br />
<br />
The phishing use can be more complex, using complex encoding:<br />
<br />
Real redirect: http://www.vulnerable.com/redirect.asp?=http://www.links.com<br />
<br />
Faked link: http://www.vulnerable.com/security/advisory/23423487829/../../../redirect.asp%3F%3Dhttp%3A//www.facked.com/advisory/system_failure/password_recovery_system<br />
<br />
==Related [[Attacks]]==<br />
<br />
* [[Attack 1]]<br />
* [[Attack 2]]<br />
<br />
<br />
==Related [[Vulnerabilities]]==<br />
<br />
* [[Open forward]]<br />
<br />
==Related [[Controls]]==<br />
<br />
* To avoid the open redirect vulnerability, parameters of the application script/program must be validated before sending 302 HTTP code (redirect) to the client browser.<br />
<br />
The server must have a relation of the authorized redirections (i.e. in a database).<br />
<br />
==Related [[Technical Impacts]]==<br />
<br />
* [[Technical Impact 1]]<br />
* [[Technical Impact 2]]<br />
<br />
<br />
==References==<br />
<br />
TBD<br />
<br />
[[Category:FIXME|add links<br />
<br />
In addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Vulnerability]]</nowiki><br />
<br />
Availability Vulnerability<br />
<br />
Authorization Vulnerability<br />
<br />
Authentication Vulnerability<br />
<br />
Concurrency Vulnerability<br />
<br />
Configuration Vulnerability<br />
<br />
Cryptographic Vulnerability<br />
<br />
Encoding Vulnerability<br />
<br />
Error Handling Vulnerability<br />
<br />
Input Validation Vulnerability<br />
<br />
Logging and Auditing Vulnerability<br />
<br />
Session Management Vulnerability]]<br />
<br />
__NOTOC__<br />
<br />
<br />
[[Category:OWASP ASDR Project]]<br />
[[Category:Vulnerability]]</div>
Robert Hof