A10 – Redirect validation
Unvalidated redirects and forwards is the tenth most critical security issue for web applications according to OWASP; it happens when an application takes a URL or an internal page as a parameter to perform a redirect or forward operation. If the parameter is not correctly validated, an attacker could abuse it making it to redirect to a malicious Web site.
In this recipe we will see how to validate that the parameter we receive for redirection or forwarding is the one that we intend to have when we develop the application.
How to do it...
- Don't want to be vulnerable? Don't use it. Whenever it's possible, avoid the use of redirects and forwards.
- If it is necessary to make a redirection, try not to use user-provided parameters (request variables) to calculate the destination.
- If the use of parameters is required, implement a table that works as a catalog of redirections, using an ID instead of a URL as the parameter the user should provide.
- Always...
