Config files : Open redirect

A phishing attack via redirection to a third-party resource is possible.

Parameters of the methods causing redirection should be validated. If it doesn’t happen, an attacker can send a user to a malicious Web site and organize a phishing attack. Such attacks are widespread, as users do not have the habit of checking the authenticity of the URL after a redirect. Unvalidated Redirects and Forwards attacks take the tenth place in the “OWASP Top 2013” ranking of Web application vulnerabilities.

A possible attack scenario: 1. The user visits a page https://example.com/login?redirect=https://evil.example.com/fakelogin 2. The redirect to a fake login page occurs. 3. The user enters his/her authentication data on the fake page. 4. The redirect to the original Web site is performed.