URL Redirection to Untrusted Site (‘Open Redirect’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’) |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
The code passes user-controlled input (like params or cookies) directly to the redirect_to method without restricting the redirect to internal paths. This allows attackers to supply a URL that could redirect users to external, potentially malicious websites.
Impact#
If exploited, attackers can craft links that cause your application to redirect users to phishing sites or malicious domains, leading to loss of user trust, possible credential theft, and facilitating social engineering attacks against your users.