Home
>
Documentation
>
Warnings
>
V5324. OWASP. Possible open redirect vu…


V5324. OWASP. Possible open redirect vulnerability. Potentially tainted data is used in the URL.

The analyzer has detected a redirect from one web resource to another, where the redirection URL is obtained from an external source without verification. This can lead to an open redirect vulnerability if the URL is compromised.

This vulnerability can be categorized under the OWASP Top 10 2021 classification as follows:

The example:

@GetMapping("/redirectExample")
public RedirectView redirect(@RequestParam("url") String url) {
  return new RedirectView(url);
}

In this example, the url may contain tainted data from the external source. This data is used to redirect the client to the address that is written in the url. This program logic streamlines the phishing attacks to steal user data.

The example of a compromised address:

URL: http://mySite.com/login?url=http://attacker.com/

A possible attack scenario:

  • Users receive a link from an attacker and click it.
  • They go to a trusted website that prompts them to log in. After entering their username and password, users will be redirected to a phishing website that looks identical to the expected one.
  • The phishing website also requests a username and password. Users think they made a mistake and re-enter their credentials.
  • As a result, the attacker behind the fake website obtains data and redirects users to the original website. Users may not even notice that their data has been stolen.

The main danger of an open redirect is that the hostile link initially points to a trusted domain, making users more likely to follow it.

To protect against open redirects, ensure that your URL is redirected only to a local or whitelisted address.

The fixed code:

private static final List<String> ALLOWED_SITES = List.of(
            "https://goodsite.com",
            "https://verygoodsite.com"
    );

@GetMapping("/redirectExample")
public RedirectView redirect(@RequestParam("url") String url) {
  if (ALLOWED_SITES.contains(url)) {
    return new RedirectView(url);
  }
  // ....
}

This diagnostic is classified as: