Open redirection Forgery
Description
Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the correct domain and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack.
Remediation
In many cases, this behavior can be avoided in two ways:
- Remove the redirection function from the application, and replace links to it with direct links to the relevant target URLs.
- Maintain a server-side list of all URLs that are permitted for redirection. Instead of passing the target URL as a parameter to the redirector, pass an index into this list.
GraphQL Specific
Apollo
To mitigate open redirection vulnerabilities in the Apollo framework engine, ensure that all URL redirections are validated against a whitelist of allowed URLs. Do not rely on user input for target URLs without proper validation. Implement server-side checks to verify that the redirection target is a trusted and intended destination. Additionally, consider using built-in security features of the framework that may automatically handle such validations.
Yoga
To mitigate open redirection vulnerabilities in the Yoga framework engine, ensure that all URL redirections are validated against a whitelist of allowed URLs. Do not rely on user input for target URLs without validation. Implement server-side checks to verify that the redirection target is a trusted and intended destination. Additionally, avoid using unvalidated URL parameters to redirect users. If possible, use indirect mapping of URLs by assigning each allowed URL a unique identifier that is used in the redirection logic instead of the actual URL itself.
Awsappsync
To mitigate Open Redirection vulnerabilities in AWS AppSync, ensure that all URLs and URI parameters are validated against a whitelist of allowed destinations before redirecting. Implement server-side checks and do not rely on client-side validation alone. Additionally, avoid using user input directly in redirection logic, and employ security features such as AWS WAF to filter out malicious requests.
Graphqlgo
To mitigate open redirection vulnerabilities in a GraphQL Go framework engine, ensure that all URLs and redirect parameters are validated against a whitelist of allowed destinations before redirecting. Implement strict input validation to ensure that only intended destinations are permissible, and avoid relying on user input for determining redirect targets. Additionally, use built-in URL parsing and validation functions provided by the Go standard library to further secure the application against open redirection attacks.
Graphqlruby
To mitigate open redirection vulnerabilities in a GraphQL Ruby framework, ensure that all URLs and redirect parameters are validated against a whitelist of allowed destinations before redirecting. Implement server-side checks to verify that the URL belongs to your application's domain or a list of approved domains. Additionally, avoid using user input directly in redirect functions without proper validation and sanitization. Consider using built-in Rails functions such as url_for
and redirect_to
which provide additional security measures against open redirection attacks.
Hasura
To mitigate open redirection vulnerabilities in the Hasura framework, ensure that all URL redirections are validated against a whitelist of allowed URLs. Do not rely on user input for determining the destination URL without proper validation. Additionally, employ server-side checks to verify that the redirection target is a trusted and intended location before performing the redirect.
REST Specific
Asp_net
To mitigate open redirection vulnerabilities in ASP.NET, validate and whitelist URLs before redirecting. Use the Uri.IsWellFormedUriString
method to check if the URL is valid and ensure it points to a trusted destination. Additionally, avoid using user input directly in Response.Redirect
or other redirection methods. If user input must be used for redirection, map expected inputs to valid destination URLs on the server side.
Ruby_on_rails
In Ruby on Rails, prevent open redirection vulnerabilities by validating the URL before performing a redirection. Use built-in methods such as 'url_for' or 'redirect_to' with only path helpers or known URLs, and avoid directly inserting user-supplied input into these methods. Implement a whitelist of allowed domains if redirection to different domains is necessary, and check the user input against this list before redirecting. Additionally, use Rails' 'URI' module to parse and validate URLs to ensure they are safe for redirection.
Next_js
In Next.js, to prevent open redirection vulnerabilities, validate and sanitize all user inputs used for redirection. Ensure that the destination URLs are either relative paths or match a whitelist of allowed domains. Use the built-in next/router
or next/link
for client-side redirection, and avoid directly using user input for the href
attribute. Additionally, implement server-side checks in API routes or getServerSideProps
to further enforce these restrictions.
Laravel
In Laravel, to prevent open redirection vulnerabilities, always validate and sanitize external URLs before redirecting. Use the 'url' helper function to generate URLs to internal routes, and for external URLs, implement a whitelist of allowed domains. Additionally, avoid using user input directly in the 'redirect()' function without proper validation.
Express_js
To mitigate open redirection vulnerabilities in Express.js, validate and sanitize all user input used for redirection. Ensure that the destination URLs are either relative paths or match a whitelist of allowed domains. Additionally, avoid directly using user input to set the 'Location' header or the 'res.redirect()' method's argument. Implementing strict input validation can prevent attackers from redirecting users to malicious sites.
Django
In Django, ensure that all redirects are validated against a whitelist of allowed URLs or use Django's built-in is_safe_url()
function to validate the URL before performing the redirect. Avoid using user input directly in the redirect()
function without proper validation.
Symfony
In Symfony, to prevent open redirection vulnerabilities, ensure that all redirects are to URLs that are either static, predefined, or validated against a whitelist of allowed domains. Use the 'Symfony\Component\HttpFoundation\RedirectResponse' class for redirection and avoid directly using user input in the 'Location' header. Additionally, implement CSRF tokens in forms to protect against cross-site request forgery, which can be related to open redirection attacks.
Spring_boot
In Spring Boot, to prevent open redirection attacks, validate and sanitize all user-supplied URL redirection targets. Only allow redirects to a whitelist of trusted URLs or URI paths. Additionally, avoid directly using request parameters to construct redirection URLs. If dynamic redirection is necessary, map user input to a set of predefined paths or use a safe method like 'UriComponentsBuilder' from Spring Framework to construct the redirection URL.
Flask
In Flask, to prevent open redirection vulnerabilities, ensure that all URL redirections are validated against a whitelist of allowed domains or paths before redirecting. Use the 'url_for' function for internal redirects and validate external redirect targets against a predefined list of safe URLs.
Nuxt
In Nuxt.js, to prevent open redirection vulnerabilities, ensure that all redirects are validated against a whitelist of allowed URLs. Do not use user input directly for redirection purposes without validation. Implement server-side checks to verify that the redirection URL is to a known and trusted destination. Additionally, consider using the built-in 'redirect' method provided by Nuxt.js, which can be configured to allow redirects only to certain predefined URLs.
Fastapi
In FastAPI, to prevent open redirection vulnerabilities, validate and sanitize all user-supplied URLs before redirecting. Use a whitelist of allowed domains to compare against the user input, and only perform the redirection if the target URL matches an entry in the whitelist. Additionally, avoid using raw user input directly in redirection functions; instead, parse the URL and ensure it leads to a safe and intended destination.
Configuration
Identifier:
request_forgery/open_redirect
Examples
Ignore this check
checks:
request_forgery/open_redirect:
skip: true
Score
- Escape Severity: HIGH
Compliance
OWASP: API3:2023
pci: 6.5.10
gdpr: Article-32
soc2: CC1
psd2: Article-97
iso27001: A.14.2
nist: SP800-53
fedramp: AC-4
Classification
- CWE: 601
Score
- CVSS_VECTOR: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N