Security Testing Unvalidated Redirects and Forwards - Security Testing

What is Security Testing - Unvalidated Redirects and Forwards?

Most Web applications on net frequently redirect and forward users to other pages or other external websites, however, without validating the credibility of those pages, hackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

Let us understand Threat Agents, Attack Vectors, Security Weakness, Technical Impact and Business Impacts of this flaw with the help of simple diagram.

Security Testing - Unvalidated Redirects and Forwards


Following are some of the classic examples for Unvalidated Redirects and Forwards:

1. Let us assume, the app has a page - redirect.jsp which accepts a parameter redirect url. The hacker insert a harmful URL that will redirect the users which results in installing malware.

2. All web application employed to forward users to various parts of the site. In order to attain the same, some pages employ a parameter to mark where the user must be redirected upon successful operation. The attacker crafts an URL that would pass the application's access control check and then moves the attacker to admin functionality to which the attacker has not got the access.

What are the preventing mechanisms?

  • It is good to mitigate employing redirects and forwards.
  • If cant be avoided then it must be done without including user parameters in redirecting the target.

All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd Protection Status

Security Testing Topics