Even though this is the least significant of the Open Web Application Security Project (OWASP) Top 10 risks, unvalidated redirects and forwards are dangerous, pervasive, and a favorite tool for phishers.
According to a 2016 research study conducted by Verizon on phishing, 30 percent of recipients open phishing messages (median time for the first user to open a message: 1 minute, 40 seconds), and 12 percent click malicious attachments or links (median time for the first click: 3 minutes, 45 seconds). This reveals the success rate and execution speed of phishing attacks.
An attacker can abuse this vulnerability to install malware or trick victim users into disclosing passwords or other sensitive information.
Let’s begin by having a clear understanding of what redirects and forwards mean:
Typically, a redirect involves a server sending an HTTP 302 response to the browser with a different destination URL. On receiving it, the browser makes a second request to the supplied destination URL.
Forwards are transparent to the browser. The server internally transfers a request to a different resource on the server.
Both redirects and forwards can be unsafe if you’re using user-supplied input such as a query parameter to decide the destination without validations. Let’s explore the attack mechanics involving redirects and forwards.
It is a relatively common ...