A phishing attack via redirection to a third-party resource is possible.

Parameters of the methods causing redirection should be validated. If it doesn’t happen, an attacker can send a user to a malicious Web site and organize a phishing attack. Such attacks are widespread, as users do not have the habit of checking the authenticity of the URL after a redirect. Unvalidated Redirects and Forwards attacks take the tenth place in the “OWASP Top 2013” ranking of Web application vulnerabilities.

A possible attack scenario:

The user visits a page https://example.com/login?redirect=https://evil.example.com/fakelogin
The redirect to a fake login page occurs.
The user enters his/her authentication data on the fake page.
The redirect to the original Web site is performed.

Java : Open redirect

DerScanner Severity Score

Do you want to fix Java : Open redirect in your application?

See also