×

iFour Logo

Unvalidated Redirects and Forwards

iFour Team - November 07, 2017

Listening is fun too.

Straighten your back and cherish with coffee - PLAY !

  • play
  • pause
  • pause
Unvalidated Redirects and Forwards

Many times it happens that you get a link via mail or social media and when you directly click on that link you are fortunately directed towards some wrong website which is not supposed to be. This is an example of Unvalidated redirects and forwards as per software development companies.

Unvalidated redirects and forwards is ranked 10th on the list of OWASP top 10 vulnerabilities 2013. In this vulnerability a web application accepts untrusted source which could cause the web application to redirect on any untrusted web application. On modifying that untrusted URL source to a malicious site, the attacker can do any phishing scam and steal any sensitive user data. Here websites many times forward or redirect users to any other web pages and use untrusted data to identify the destination pages. Without any proper validation, attackers redirects victims to malware sites or uses forwards to have the access of unauthorized pages.

How to find the web application is vulnerable to redirects?


Here are best ways to find out if a web application has any unvalidated redirects and forwards or not.

Review the entire code which automatically redirects or forwards. For each redirects, review if target URL has any parameter values. If you find any target URL isn’t validated against whitelist than your application is vulnerable.

Check the site if it generates any redirects. If it does than change the URL target and check whether the site redirects to a new target.

 

In case code is unavailable, check for all parameters to identify if they seem to be part of a redirect or forward URL and test them.

 

How actually it looks like?


Take an example of an email. Many times it happens that you get a link of any other website in your mail.

 
Unvalidate Redirect Example

According to this link we are supposed to redirect at altoro website. But when we click this link we are redirected to any other website.

 
Unvalidate Redirects and forwards example Example

Now giving any input to this website may cause to phishing.

Severity: Medium

Prevention:


There are number of ways by which you can prevent this vulnerability from your web application. Safe redirects and forwards can happen in numerous ways.

Try not to use redirects and forwards.

In case you use them, it is advised not to involve user parameters in calculating the destination.

If you cannot avoid destination parameters, make sure that a supplied value is valid as well as authorized for a user.

One Stop Solution for .NET Web Development - Enquire Today

Developers can use ESAPI to override the sendRedirect() method in order to ensure that all redirects destinations are safe. To avoid these kind of flaws is important as they are the frequent targets of phishers which are trying to have user’s trust.

Unvalidated Redirects and Forwards Many times it happens that you get a link via mail or social media and when you directly click on that link you are fortunately directed towards some wrong website which is not supposed to be. This is an example of Unvalidated redirects and forwards as per software development companies. Unvalidated redirects and forwards is ranked 10th on the list of OWASP top 10 vulnerabilities 2013. In this vulnerability a web application accepts untrusted source which could cause the web application to redirect on any untrusted web application. On modifying that untrusted URL source to a malicious site, the attacker can do any phishing scam and steal any sensitive user data. Here websites many times forward or redirect users to any other web pages and use untrusted data to identify the destination pages. Without any proper validation, attackers redirects victims to malware sites or uses forwards to have the access of unauthorized pages. How to find the web application is vulnerable to redirects? Here are best ways to find out if a web application has any unvalidated redirects and forwards or not. Review the entire code which automatically redirects or forwards. For each redirects, review if target URL has any parameter values. If you find any target URL isn’t validated against whitelist than your application is vulnerable. Check the site if it generates any redirects. If it does than change the URL target and check whether the site redirects to a new target. Read More: Blockchain A Forward Step To Secure Transaction   In case code is unavailable, check for all parameters to identify if they seem to be part of a redirect or forward URL and test them.   How actually it looks like? Take an example of an email. Many times it happens that you get a link of any other website in your mail.   According to this link we are supposed to redirect at altoro website. But when we click this link we are redirected to any other website.   Now giving any input to this website may cause to phishing. Severity: Medium Prevention: There are number of ways by which you can prevent this vulnerability from your web application. Safe redirects and forwards can happen in numerous ways. Try not to use redirects and forwards. In case you use them, it is advised not to involve user parameters in calculating the destination. If you cannot avoid destination parameters, make sure that a supplied value is valid as well as authorized for a user. One Stop Solution for .NET Web Development - Enquire Today See here Developers can use ESAPI to override the sendRedirect() method in order to ensure that all redirects destinations are safe. To avoid these kind of flaws is important as they are the frequent targets of phishers which are trying to have user’s trust.

Build Your Agile Team

Enter your e-mail address Please enter valid e-mail

Categories

Ensure your sustainable growth with our team

Talk to our experts
Sustainable
Sustainable
 

Blog Our insights

15 Benefits of Power Apps for CTOs
15 Benefits of Power Apps for CTOs

Implementing quick apps with the right strategies is essential for CTOs as it helps them deal with problems instantly and effectively. This is feasible by using a low-code technology, like Microsoft Power Apps. Check this comprehensive guide to learn more about Power Apps.

Unleash the Power of Explainable AI in Banking Software Development
Unleash the Power of Explainable AI in Banking Software Development

Table of Content 1.What exactly is Explainable AI? 1.1.Techniques used in XAI 2.What is the need for Explainable AI? 3.Role of Explainable AI in improving...

How Blockchain can impact the Financial industry in 2023?
How Blockchain can impact the Financial industry in 2023?

Table of Content 1.Boosts payment transparency, trust, and efficiency 2.Reduces operational risks and enables real-time verification 3.Eliminates central authority to...