URL Redirection to Untrusted Site ('Open Redirect')

Property
Language
Severity
CWE	CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
OWASP	A01:2021 - Broken Access Control
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description#

The application uses user-controlled input to set the destination of window redirection (e.g., via location.href or location.replace) without validating the input. This allows attackers to redirect users to malicious sites or inject JavaScript code.

Impact#

If exploited, attackers could trick users into visiting phishing or malicious sites, leading to credential theft or malware installation. In some cases, they could inject JavaScript via specially crafted links, potentially enabling Cross-Site Scripting (XSS) attacks and compromising user data or site integrity.

URL Redirection to Untrusted Site (‘Open Redirect’)

Description#

Impact#