In most of the sites let it be Banking, E-commerce etc, redirection is bound to happen.Lets take an example of banking site.
- Login page
- Payment option –> payment gateway redirection
- Payment gateway –> bank’s page (already logged in)
- Banks page –> rewards page in case you redeem credit card rewards.(if you get)
- Rewards page –> Bank’s page
What will happen if the attacker is able to redirect you to his own link instead of payment gateway?His own gateway looks exactly the same as an original gateway but installs a virus on your computer. The possibilities can go on and on..
Changing the above to test.com will not help as the page is doing validation that the URL should not be external.But no checking for internal URLs.
- No redirection – if possible
- Never determine the destination based on user input, if it is not possible to evade that,
- verify the input
- Check for authority to do that
- Sanitize it
- If u want to redirect the user to a page without the user’s interactions, hard code it, Encrypt it.