# Unsanitized user input in redirect

## Overview

* **Rule ID**: `javascript_lang_open_redirect`
* **Applicable Languages**: Javascript
* **Weakness ID**: CWE-601

## Description

Using unsanitized user input in redirects increases the risk of phishing attacks. This vulnerability arises when an application dynamically redirects users to a URL that includes user-controlled input without adequate validation or sanitization.

## Remediation Guidelines

* **Do not** use user input directly in redirect URLs. This can result in phishing attacks where attackers redirect users to malicious sites.
* **Do** validate and sanitize all user input used in redirects. Ensure that the destination URLs are safe and legitimate. Use a whitelist of allowed URLs whenever possible.
* **Do** implement server-side redirection methods that prevent user input from directly determining the destination. This ensures that the application maintains control over the redirect targets.

## References

* [**OWASP Unvalidated Redirects and Forwards Cheat Sheet**](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)
* [**CWE-601: URL Redirection to Untrusted Site ('Open Redirect')**](https://cwe.mitre.org/data/definitions/601.html)
* [**OWASP Top 10: A01:2021 - Broken Access Control**](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)

## Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our [**SAST TOOL**](https://scopy.sec1.io/login)