Description

Web applications frequently redirect and forward users to other pages and websites, and use un-trusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

Examples

Scenario #1

The application has a page called "redirect.php" which takes a single parameter named "url". The attacker crafts a malicious URL that redirects users to a malicious site that performs phishing and installs malware. 

http://www.example.com/redirect.php?url=evil.com

Scenario #2

The application uses forward to route requests between different parts of the site. To facilitate this, some pages use a parameter to indicate where the user should be sent if a transaction is successful. In this case, the attacker crafts a URL that will pass the application’s access control check and then forward the attacker to an administrative function that she would not normally be able to access. 

http://www.example.com/boring.php?fwd=admin.php

Mitigation

Safe use of redirects and forwards can be done in a number of ways:

  1. Simply avoid using redirects and forwards.
  2. If used, don’t involve user parameters in calculating the destination. This can usually be done.
  3. If destination parameters can’t be avoided, ensure that the supplied value is valid, and authorized for the user. It is recommended that any such destination parameters be a mapping value, rather than the actual URL or portion of the URL, and that server side code translate this mapping to the target URL. Avoiding such flaws is extremely important as they are a favorite target of phishers trying to gain the user’s trust.