This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
OWASP Periodic Table of Vulnerabilities - URL Redirector Abuse
Return to Periodic Table Working View
URL Redirector Abuse
Root Cause Summary
Applications accept arbitrary user-defined URLs as input, which are then used as targets for redirection. Users may be unwittingly rerouted to a malicious site from a site they trust.
Browser / Standards Solution
None
Perimeter Solution
None
Generic Framework Solution
The framework should expose a configurable white list of hosts and/or paths that are acceptable targets for URL redirection. This might include additional rules about stripping fragments and URL parameters from the redirection target. The default rule set should allow only relative URLs, in order to prevent redirection away from the original site.
The framework should prevent application code from directly modifying Location, Refresh, or any other response headers that might be used by the browser to load URL resources. The framework should prevent the use of document.location and window.location in JavaScript. Instead, the framework should expose an API for URL redirection which can accept an arbitrary URL, but applies the white list rules and transformations before allowing the redirect.
Session expiration code and code which handles unauthenticated deep linking should automatically apply the white list when attempting to redirect back to a requested URL after successful authentication.
Custom Framework Solution
None
Custom Code Solution
None
Discussion / Controversy
References
OWASP Top 10 2010 - A10 Unvalidated Redirects and Forwards
Redirector Abuse (WASC)
URL Redirection to Untrusted Site