OWASP Periodic Table of Vulnerabilities - URL Redirector Abuse

Return to Periodic Table Working View

Root Cause Summary
Applications accept arbitrary user-defined URLs as input, which are then used as targets for redirection. Users may be unwittingly rerouted to a malicious site from a site they trust.

Browser / Standards Solution
None

Perimeter Solution
None

Generic Framework Solution
The framework should expose a configurable white list of hosts and/or paths that are acceptable targets for URL redirection. This might include additional rules about stripping |URL fragments and URL parameters from the redirection target. The default rule set should allow only relative URLs, in order to prevent redirection away from the original site.

The framework should prevent application code from directly modifying Location, Refresh, or any other response headers that might be used by the browser to load URL resources. The framework should prevent the use of document.location and window.location in JavaScript. Instead, the framework should expose an API for URL redirection which can accept an arbitrary URL, but applies the white list rules and transformations before allowing the redirect.

Session expiration code and code which handles unauthenticated deep linking should automatically apply the white list when attempting to redirect back to a requested URL after successful authentication.

Custom Framework Solution
None

Custom Code Solution
None

Discussion / Controversy
None