Unsanitized user input in redirect

Overview

• Rule ID: javascript_lang_open_redirect

• Applicable Languages: Javascript

• Weakness ID: CWE-601

Description

Using unsanitized user input in redirects increases the risk of phishing attacks. This vulnerability arises when an application dynamically redirects users to a URL that includes user-controlled input without adequate validation or sanitization.

Remediation Guidelines

• Do not use user input directly in redirect URLs. This can result in phishing attacks where attackers redirect users to malicious sites.

• Do validate and sanitize all user input used in redirects. Ensure that the destination URLs are safe and legitimate. Use a whitelist of allowed URLs whenever possible.

• Do implement server-side redirection methods that prevent user input from directly determining the destination. This ensures that the application maintains control over the redirect targets.

References

• OWASP Unvalidated Redirects and Forwards Cheat Sheet

• CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

• OWASP Top 10: A01:2021 - Broken Access Control

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL