This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP Periodic Table of Vulnerabilities - URL Redirector Abuse

Revision as of 19:07, 14 May 2013 by James Landis (talk | contribs) (Created page with "Return to Periodic Table Working View == URL Redirector Abuse == === Root Cause Summary === Ap...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Return to Periodic Table Working View

URL Redirector Abuse

Root Cause Summary

Applications accept arbitrary user-defined URLs as input, which are then used as targets for redirection. Users may be unwittingly rerouted to a malicious site from a site they trust.

Browser / Standards Solution


Perimeter Solution


Generic Framework Solution

The framework should expose a configurable white list of hosts and/or paths that are acceptable targets for URL redirection. This might include additional rules about stripping [fragments] and URL parameters from the redirection target. The default rule set should allow only relative URLs to prevent redirection away from the original site.

The framework should prevent application code from directly modifying Location, Refresh, or any other response headers that might be used by the browser to load URL resources. The framework should prevent the use of document.location and window.location in JavaScript. Instead, the framework should expose an API for URL redirection which can accept an arbitrary URL, but applies the white list rules and transformations before allowing the redirect.

Session expiration code and code which handles unauthenticated deep linking should automatically apply the white list when attempting to redirect back to a requested URL after successful authentication.

Custom Framework Solution


Custom Code Solution


Discussion / Controversy


OWASP Top 10 2010 - A10 Unvalidated Redirects and Forwards
Redirector Abuse (WASC)
URL Redirection to Untrusted Site