URL Redirection to Untrusted Site (‘Open Redirect’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’) |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
The application redirects users to URLs provided directly from request data (such as query parameters or headers) without validating them. This allows attackers to craft links that send users to malicious websites.
Impact#
If exploited, attackers can trick users into visiting fraudulent or harmful sites, which can lead to phishing attacks, credential theft, or loss of user trust. This also puts the application’s reputation at risk and may aid further attacks against your users.