A10 – Invalidated redirects and forwards
Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
As you can see in the official definition, the issue here is redirection. Or, to be precise, the issue is redirection in a non secure manner.
The official documentation suggests that the best ways to find out whether some software includes dangerous forwarding of redirects are as follows:
Revise the code for any redirection or forwarding (transfer in .NET). Once identified, check whether the target URL is included in any parameter values. In case it is, the target URL is not being validated against a whitelist, and therefore, you are vulnerable.
The other possibility is that the site generates redirects, which correspond to HTTP response codes 300-307, and, typically a 302 code....
