software composition analysis
Product
SAST
Catch vulnerabilities as you develop DAST
Test live web applications like an attacker SCA
Secure open-source and supply chain MAST
Secure mobile apps from code to store Compliance
Align with standards while shipping secure code
Resources
Vulnerability database Healthy Package
Blog News
Documentation
Pricing Partners About Us Log In
software composition analysis

Python : Open redirect

Classification

OWASP Top 10 2013 A10-Unvalidated Redirects and Forwards OWASP ASVS Validation, Sanitization and Encoding PCI DSS 4.0 6.2.4 CWE CWE-601 CWE-1036 CWE/SANS Top 25 2011 CWE-601

Overview

A phishing attack via redirection to a third-party resource is possible.

Parameters of the methods causing redirection should be validated. If it doesn’t happen, an attacker can send a user to a malicious Web site and organize a phishing attack. Such attacks are widespread, as users do not have the habit of checking the authenticity of the URL after a redirect. Unvalidated Redirects and Forwards attacks take the tenth place in the “OWASP Top 2013” ranking of Web application vulnerabilities.

A possible attack scenario:

  1. The user visits a page https://example.com/login?redirect=https://evil.example.com/fakelogin
  2. The redirect to a fake login page occurs.
  3. The user enters his/her authentication data on the fake page.
  4. The redirect to the original Web site is performed.

References

  1. WASC-38: URL Redirector Abuse
  2. OWASP Top 10 A10 2013: Unvalidated Redirects and Forwards
  3. Web Security: Unvalidated Redirects - Saleh Hamadeh / codeproject.com
  4. CWE-601
  5. CWE-1036

See also

Python : Logging into system output
Python : Unsafe JWT-token verification
Python : Session fixation