Top 10 2010-A10-Unvalidated Redirects and Forwards

Scenario #1: The application has a page called “redirect.jsp” which takes a single parameter named “url”. The attacker crafts a malicious URL that redirects users to a malicious site that performs phishing and installs malware. http://www.example.com/redirect.jsp?url=evil.com Scenario #2:The application uses forward to route requests between different parts of the site. To facilitate this, some pages use a parameter to indicate where the user should be sent if a transaction is successful. In this case, the attacker crafts a URL that will pass the application’s access control check and then forward the attacker to an administrative function that she would not normally be able to access. http://www.example.com/boring.jsp?fwd=admin.jsp


 * OWASP Article on Open Redirects
 * ESAPI SecurityWrapperResponse.sendRedirect method


 * CWE Entry 601 on Open Redirects
 * WASC Article on URL Redirector Abuse
 * Google blog article on the dangers of open redirects