# Unsanitized User input in Redirect ## Overview * **Rule ID**: `java_lang_open_redirect` * **Applicable Languages**: Java * **Weakness ID**: CWE-601 ## Description Using unsanitized user input for redirects can expose your application to phishing attacks. This happens when user input is directly used to determine the redirect destination without adequate validation or sanitization, allowing attackers to redirect users to malicious sites and compromise their security. ## Remediation Guidelines * **Avoid** using unsanitized user input to construct URLs for redirects, as this can lead to phishing attacks and compromise user security. * **Instead, validate user input by using a safelist or a mapping strategy** when constructing URLs for redirects. This approach ensures that only pre-approved destinations are used, significantly reducing the risk of malicious redirects. ## References * [**OWASP Unvalidated Redirects and Forwards Cheat Sheet**](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html) * [**CWE-601: URL Redirection to Untrusted Site ('Open Redirect')**](https://cwe.mitre.org/data/definitions/601.html) * [**OWASP Top 10: A01:2021 - Broken Access Control**](https://owasp.org/Top10/A01_2021-Broken_Access_Control/) ## Configuration To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our [**SAST TOOL**](https://scopy.sec1.io/login) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.sec1.io/user-docs/4-sast/2-java/unsanitized-user-input-in-redirect.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.