URL Redirection to Untrusted Site (‘Open Redirect’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’) |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
User-supplied data from the request is directly passed to Flask’s redirect() function without proper validation. This allows attackers to craft URLs that redirect users to external, potentially malicious sites.
Impact#
Exploiting this vulnerability can let attackers trick users into leaving your site for phishing or malicious sites, undermining user trust and enabling theft of credentials or sensitive information. It may also facilitate other attacks such as session hijacking or social engineering.