Unvalidated redirects and forwards

In most of the sites let it be Banking, E-commerce etc, redirection is bound to happen.Lets take an example of banking site.

  • Login page
  • Payment option –> payment gateway redirection
  • Payment gateway –> bank’s page (already logged in)
  • Banks page –> rewards page in case you redeem credit card rewards.(if you get)
  • Rewards page –> Bank’s page

What will happen if the attacker is able to redirect you to his own link instead of payment gateway?His own gateway looks exactly the same as an original gateway but installs a virus on your computer. The possibilities can go on and on..



The site ideally will take you to linked in page
Request is intercepted and you can see the destination
Changing it to attackers destination and BOOM.


Want to go back to home page..?
Here is the intercepted request

Changing the above to test.com will not help as the page is doing validation that the URL should not be external.But no checking for internal URLs.

Takes you to the admin page instead


  • No redirection – if possible
  • Never determine the destination based on user input, if it is not possible to evade that,
    • verify the input
    • Check for authority to do that
    • Sanitize it
  • If u want to redirect the user to a page without the user’s interactions, hard code it, Encrypt it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s