URL Redirection to Untrusted Site ('Open Redirect')
ID |
scala.endpoint.scala_endpoint_rule_unvalidatedredirect |
Severity |
high |
Resource |
Endpoint |
Language |
Scala |
Description
Unvalidated redirects occur when an application redirects a user to a destination URL specified by a user supplied parameter that is not validated. Such vulnerabilities can be used to facilitate phishing attacks.
Rationale
Unvalidated redirects occur when an application redirects a user to a destination URL specified by a user supplied parameter that is not validated. Such vulnerabilities can be used to facilitate phishing attacks.
The following code illustrates a vulnerable pattern detected by this rule:
@throws[IOException]
override protected def doGet(req: HttpServletRequest, resp: HttpServletResponse): Unit = {
val url = req.getParameter("urlRedirect")
unvalidatedRedirect1(resp, url)
}
@throws[IOException]
private def unvalidatedRedirect1(resp: HttpServletResponse, url: String): Unit = {
// VULNERABLE: URL Redirection to Untrusted Site ('Open Redirect')
if (url != null) resp.sendRedirect(url)
}Remediation
Follow secure coding practices and review the references below for detailed remediation guidance.
References
-
OWASP Top 10 2021 - A01 : Broken Access Control.