Web applications may redirect users to other pages and websites. Attackers can use redirects to send users to malicious sites or use forwards to access unauthorized pages. If possible, try to avoid redirects and forwards. If your application uses redirects and forwards, testing of them should include:

• A review of the code should be conducted for all uses of redirect or forward. For each use, identify if the target URL is included in any parameter values. If so, verify that the parameter(s) are validated to contain only an allowed destination or element of a destination.
• Someone on the team should spider the site to see if it generates any redirects (HTTP response codes 300-307, typically 302). Look at the ...