<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">

<qhelp>

<overview>

<p>

Directly incorporating user input into a URL redirect request without validating the input can

facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious

site that looks very similar to the real site they intend to visit, but is controlled by the

attacker.

</p>

</overview>

<recommendation>

<p>

To guard against untrusted URL redirection, it is advisable to avoid putting user input directly into

a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from

that list based on the user input provided.

</p>

<p>

If this is not possible, then the user input should be validated in some other way,

for example, by verifying that the target URL is local and does not redirect to a different host.

</p>

</recommendation>

<example>

<p>

The following example shows an HTTP request parameter being used directly in a URL redirect without

validating the input, which facilitates phishing attacks:

</p>

<sample src="OpenUrlRedirect.go"/>

<p>

One way to remedy the problem is to parse the target URL and check that its hostname is empty,

which means that it is a relative URL:

</p>

<sample src="OpenUrlRedirectGood.go"/>

<p>

Note that some browsers treat backslashes in URLs as forward slashes. To account for this,

we replace all backslashes with forward slashes before parsing the URL and checking its hostname.

</p>

</example>

<references>

<li>OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html">

XSS Unvalidated Redirects and Forwards Cheat Sheet</a>.</li>

</references>

</qhelp>