This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Open redirect"

From OWASP
Jump to: navigation, search
(Platform)
 
(13 intermediate revisions by 5 users not shown)
Line 1: Line 1:
==Overview==
+
#REDIRECT [[Unvalidated_Redirects_and_Forwards_Cheat_Sheet]]
 
 
An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.
 
 
 
{{Template:Stub}}
 
 
 
==Consequences ==
 
 
 
[[Phishing]]
 
 
 
==Exposure period ==
 
 
 
==Platform ==
 
All web platforms affected
 
 
 
==Required resources ==
 
 
 
==Severity ==
 
 
 
 
 
==Likelihood of exploit ==
 
 
 
 
 
==Avoidance and mitigation ==
 
To avoid the open redirect vulnerability parameters of the application script/program must be validated before sending 302 HTTP code (redirect) to the client browser.
 
 
 
The server must have a relation of the authorized redirections (i.e. in a database)
 
 
 
==Discussion ==
 
 
 
 
 
==Examples ==
 
 
 
http://www.vulnerable.com?redirect=http://www.attacker.com
 
 
 
==Related problems ==
 
 
 
* [[Open forward]]
 
 
 
[[Category:Vulnerability]]
 

Latest revision as of 00:26, 21 September 2016