Unvalidated redirects and forwards are when an application uses untrusted data to redirect a user to a new webpage. This poses a security threat since an attacker can use the application to redirect unsuspecting users to a malicious site in a phishing scam. Unvalidated redirects and forwards are in the OWASP top ten security vulnerabilities.

Unvalidated Redirects and Forwards Examples

In these examples the URL is sent to the backend server from the user. The server processes the requests and then redirects to the URL supplied.

Form Hidden Fields
Front End

Back End Processing

 

URL Parameters
Front End

Back End Processing

 

Unvalidated Redirects and Forwards Security Risks

In the previous examples an attacker could enter untrusted data in the form or the URL parameters to redirect to a malicious site. Users are inclined to trust the malicious form or link since it originates from a trusted URL. The unsuspecting user is then redirected to an untrusted location. The risk is that your application facilitates phishing scams, and harms users.

In some cases attackers can use the forwarded URL to bypass security checks and gain unauthorized access to the application if the destination URL does not correctly validate the user’s authorization. The risk in this case is authorization bypass in the application that could allow an attacker to manipulate the application in unintended ways.

OWASP has more information on the risks of unvalidated redirects and forwards

 

Preventing Unvalidated Redirects and Forwards

There are several ways to prevent unauthorized redirects and forwards. The first is to not use user supplied input to determine a redirect value. In the previous form example the processForm.php file could determine the correct location to redirect upon success. It could use the form being processed or it could be a dedicated form processing script with only one redirecting location.

Another solution is to use a keyed value that is stored server side. In the second example the trackredirect.php file could use a key to determine the partner to redirect to and store the URL in the server side script. The link could then be mysite.com/trackredirect.php?destination=partnerOne and the trackredirect.php could use that key to determine the correct and safe URL.

Finally, if a url must be sent from the user to the application, then a whitelisting mechanism should be in place to validate a URL as a trusted URL and if the URL is internal to the application, validate that the user is authorized to navigate to the URL. This is the least preferred approach but provides some safety rather than blindly redirecting.