Unsanitized User input in Redirect

Overview

• Rule ID: java_lang_open_redirect

• Applicable Languages: Java

• Weakness ID: CWE-601

Description

Using unsanitized user input for redirects can expose your application to phishing attacks. This happens when user input is directly used to determine the redirect destination without adequate validation or sanitization, allowing attackers to redirect users to malicious sites and compromise their security.

Remediation Guidelines

• Avoid using unsanitized user input to construct URLs for redirects, as this can lead to phishing attacks and compromise user security.

• Instead, validate user input by using a safelist or a mapping strategy when constructing URLs for redirects. This approach ensures that only pre-approved destinations are used, significantly reducing the risk of malicious redirects.

References

• OWASP Unvalidated Redirects and Forwards Cheat Sheet

• CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

• OWASP Top 10: A01:2021 - Broken Access Control

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL