Redirects ¶
Redirects are useful things in web applications, but they could be used by attackers to mislead users.
Whenever issuing a redirect, be extra careful if you include user-supplied data in the target of the redirect. If you need to include user-supplied data, be sure to validate it against a whitelist.
If the redirect is not validated, an attacker could craft a URL that points to your site that issues a redirect to a malicious one. For example:
http://www.example.com/redirect?url=evil.com
The unsuspecting user may click on it because they trust example.com, not realizing that they will be redirected to evil.com. This enables attackers to trick users into going to a malicious site. The user may not even realize that a redirect took place, especially if evil.com is a phishing site that looks identical to example.com.
-
Wiki content is available under a Creative Commons 3.0 License.
