O'Reilly logo

Securing Node Applications by Chetan Karande

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 10. Unvalidated Redirects and Forwards

Even though this is the least significant of the Open Web Application Security Project (OWASP) Top 10 risks, unvalidated redirects and forwards are dangerous, pervasive, and a favorite tool for phishers.

According to a 2016 research study conducted by Verizon on phishing, 30 percent of recipients open phishing messages (median time for the first user to open a message: 1 minute, 40 seconds), and 12 percent click malicious attachments or links (median time for the first click: 3 minutes, 45 seconds). This reveals the success rate and execution speed of phishing attacks.

An attacker can abuse this vulnerability to install malware or trick victim users into disclosing passwords or other sensitive information.

Attack Mechanics

Let’s begin by having a clear understanding of what redirects and forwards mean:

Redirects

Typically, a redirect involves a server sending an HTTP 302 response to the browser with a different destination URL. On receiving it, the browser makes a second request to the supplied destination URL.

Forwards

Forwards are transparent to the browser. The server internally transfers a request to a different resource on the server.

Both redirects and forwards can be unsafe if you’re using user-supplied input such as a query parameter to decide the destination without validations. Let’s explore the attack mechanics involving redirects and forwards.

Scenario 1: Redirect to an External Web Page

It is a relatively common ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required