Invalidated Redirects and Forwards
Web applications which use some sort of visible URL redirects to perform activities such as page navigation or post user authentication redirects are vulnerable to these attacks. Such a visible redirect exposes the user to a phishing attack where an attacker could route the user to a malicious website and exploit the session or install malware on user’s computer.
As an example, imagine that we have an application which redirects the user by passing in the URL as a parameter:
http://www.trustedApp.com/redirect.jsp?
url=www. trustedApp.com/home.jsp
The attacker could manipulate the user by changing this URL parameter in order to redirect to a malicious site that performs phishing.
Prevention Measures
- Consider adopting a single-page-application design, where the underlying navigation URL is not exposed to the end user.
- Simply avoid using redirects and forwards.
- If used, don’t involve user parameters in calculating the destination.
- If destination parameters can’t be avoided, ensure that the supplied value is valid, and authorized for the user. It is recommended that any such destination parameters be a mapping value, rather than the actual URL or portion of the URL, and that server side code translate this mapping to the target URL.