URL Redirection to Untrusted Site (‘Open Redirect’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’) |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
The code constructs HTTP redirects using values taken directly from user input, without validating or restricting the destination URL. This allows attackers to craft links that redirect users to untrusted or malicious websites.
Impact#
If exploited, attackers can trick users into visiting phishing sites or downloading malware by making redirects appear to originate from your application. This undermines user trust, can lead to credential theft, and may damage the application’s reputation.