URL Redirection to Untrusted Site (‘Open Redirect’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’) |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Redirecting users to URLs that are not hardcoded or validated can allow attackers to craft links that redirect users to malicious sites. If user input is used directly in the redirect() method, the application is vulnerable to open redirects.
Impact#
Attackers could trick users into clicking links that appear to be from your site but actually redirect them to phishing or malicious pages. This can lead to loss of user trust, credential theft, or facilitate further attacks such as session hijacking.