Allowing unvalidated input to control the URL used in a redirect can aid phishing attacks.
Redirects allow web applications to direct users to different pages within the same application or to external sites. Applications utilize redirects to aid in site navigation and, in some cases, to track how users exit the site. Open redirect vulnerabilities occur when a web application redirects clients to any arbitrary URL that can be controlled by an attacker.
Attackers can utilize open redirects to trick users into visiting a URL to a trusted site and redirecting them to a malicious site. By encoding the URL, an attacker can make it more difficult for end-users to notice the malicious destination of the redirect, even when it is passed as a URL parameter to the trusted site. Open redirects are often abused as part of phishing scams to harvest sensitive end-user data.
Example 1: The following Python code instructs the user's browser to open a URL parsed from the dest
request parameter when a user clicks the link.
...
strDest = request.field("dest")
redirect(strDest)
...
[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A1 Unvalidated Input
[2] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A10 Unvalidated Redirects and Forwards
[3] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3510 CAT I, APP3600 CAT II
[4] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Content Spoofing
[5] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 601
[6] Standards Mapping - SANS Top 25 2010 - (SANS 2010) Insecure Interaction - CWE ID 601
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.1
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.1
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.1