CWE-601
AllowedURL Redirection to Untrusted Site ('Open Redirect')
Abstraction: Base · Status: Draft
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
2307 vulnerabilities reference this CWE, most recent first.
GHSA-FQPH-HQC3-QF26
Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-05-24 19:06An open redirect vulnerability exists in the /preauth Servlet in Zimbra Collaboration Suite through 9.0. To exploit the vulnerability, an attacker would need to have obtained a valid zimbra auth token or a valid preauth token. Once the token is obtained, an attacker could redirect a user to any URL via isredirect=1&redirectURL= in conjunction with the token data (e.g., a valid authtoken= value).
{
"affected": [],
"aliases": [
"CVE-2021-34807"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-02T19:15:00Z",
"severity": "MODERATE"
},
"details": "An open redirect vulnerability exists in the /preauth Servlet in Zimbra Collaboration Suite through 9.0. To exploit the vulnerability, an attacker would need to have obtained a valid zimbra auth token or a valid preauth token. Once the token is obtained, an attacker could redirect a user to any URL via isredirect=1\u0026redirectURL= in conjunction with the token data (e.g., a valid authtoken= value).",
"id": "GHSA-fqph-hqc3-qf26",
"modified": "2022-05-24T19:06:48Z",
"published": "2022-05-24T19:06:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34807"
},
{
"type": "WEB",
"url": "https://wiki.zimbra.com/wiki/Security_Center"
},
{
"type": "WEB",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P23"
},
{
"type": "WEB",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P16"
},
{
"type": "WEB",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-FQPH-J6V6-JVGX
Vulnerability from github – Published: 2026-05-07 03:15 – Updated: 2026-05-14 20:54Impact
The URLInputHandler class in docling_graph/core/input/handlers.py makes HTTP requests to user-supplied URLs without validating whether the target resolves to a private, loopback, or link-local IP address. The URLValidator only checks for a valid scheme and non-empty netloc, performing no IP-level validation. Additionally, requests.head() was called with allow_redirects=True, allowing an attacker to redirect requests to internal endpoints via an intermediary URL.
An attacker who can control the --source CLI argument or PipelineConfig.source API parameter can trigger Server-Side Request Forgery (SSRF) to reach:
- Cloud metadata endpoints (e.g. 169.254.169.254) to steal IAM credentials
- Internal services on loopback (127.0.0.1) or private network ranges (10.x, 172.16.x, 192.168.x)
This affects deployments where docling-graph processes URLs from untrusted input, such as multi-tenant pipelines or server-side automation.
Patches
The vulnerability is fixed in v1.5.1.
Users should upgrade immediately:
pip install --upgrade docling-graph
The fix adds IP validation via ipaddress and socket.gethostbyname() before any request is made, blocks private/loopback/link-local/reserved addresses, and disables redirect following (allow_redirects=False) with explicit validation of any Location header before following it.
Workarounds
If upgrading is not immediately possible, ensure that all URLs passed to URLInputHandler come exclusively from trusted, internal sources, never from user-supplied or external input. There is no safe code-level workaround short of applying the patch, as the vulnerability is in the library itself.
Resources
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.5.0"
},
"package": {
"ecosystem": "PyPI",
"name": "docling-graph"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44520"
],
"database_specific": {
"cwe_ids": [
"CWE-601",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-07T03:15:46Z",
"nvd_published_at": "2026-05-14T18:16:50Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nThe `URLInputHandler` class in `docling_graph/core/input/handlers.py` makes HTTP requests to user-supplied URLs without validating whether the target resolves to a private, loopback, or link-local IP address. The `URLValidator` only checks for a valid scheme and non-empty `netloc`, performing no IP-level validation. Additionally, `requests.head()` was called with `allow_redirects=True`, allowing an attacker to redirect requests to internal endpoints via an intermediary URL.\n\nAn attacker who can control the `--source` CLI argument or `PipelineConfig.source` API parameter can trigger Server-Side Request Forgery (SSRF) to reach:\n- Cloud metadata endpoints (e.g. `169.254.169.254`) to steal IAM credentials\n- Internal services on loopback (`127.0.0.1`) or private network ranges (`10.x`, `172.16.x`, `192.168.x`)\n\nThis affects deployments where `docling-graph` processes URLs from untrusted input, such as multi-tenant pipelines or server-side automation.\n\n### Patches\n\nThe vulnerability is fixed in **v1.5.1**.\n\nUsers should upgrade immediately:\n```\npip install --upgrade docling-graph\n```\n\nThe fix adds IP validation via `ipaddress` and `socket.gethostbyname()` before any request is made, blocks private/loopback/link-local/reserved addresses, and disables redirect following (`allow_redirects=False`) with explicit validation of any `Location` header before following it.\n\n### Workarounds\n\nIf upgrading is not immediately possible, ensure that **all URLs passed to `URLInputHandler` come exclusively from trusted, internal sources**, never from user-supplied or external input. There is no safe code-level workaround short of applying the patch, as the vulnerability is in the library itself.\n\n### Resources\n\n- [CWE-918: Server-Side Request Forgery](https://cwe.mitre.org/data/definitions/918.html)\n- [OWASP SSRF Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n- [AWS Instance Metadata endpoint](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html)",
"id": "GHSA-fqph-j6v6-jvgx",
"modified": "2026-05-14T20:54:24Z",
"published": "2026-05-07T03:15:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/docling-project/docling-graph/security/advisories/GHSA-fqph-j6v6-jvgx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44520"
},
{
"type": "WEB",
"url": "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/docling-project/docling-graph"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "docling-graph has SSRF via Missing Internal IP Validation in URLInputHandler"
}
GHSA-FQXM-C9WH-542C
Vulnerability from github – Published: 2024-08-27 15:32 – Updated: 2024-08-27 15:32An HTTP parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.
{
"affected": [],
"aliases": [
"CVE-2024-7941"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-27T13:15:06Z",
"severity": "MODERATE"
},
"details": "An HTTP parameter may contain a URL value and could cause\nthe web application to redirect the request to the specified URL.\nBy modifying the URL value to a malicious site, an attacker may\nsuccessfully launch a phishing scam and steal user credentials.",
"id": "GHSA-fqxm-c9wh-542c",
"modified": "2024-08-27T15:32:48Z",
"published": "2024-08-27T15:32:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7941"
},
{
"type": "WEB",
"url": "https://publisher.hitachienergy.com/preview?DocumentID=8DBD000160\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FR3W-2P22-6W7P
Vulnerability from github – Published: 2024-03-12 20:50 – Updated: 2024-03-13 22:25Summary
The authentication API has a redirect parameter that can be exploited as an open redirect vulnerability as the user tries to log in via the API URL https://docs.directus.io/reference/authentication.html#login-using-sso-providers /auth/login/google?redirect for example.
Details
There's a redirect that is done after successful login via the Auth API GET request to directus/auth/login/google?redirect=http://malicious-fishing-site.com, which I think is here: https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L394. While credentials don't seem to be passed to the attacker site, the user can be phished into clicking a legitimate directus site and be taken to a malicious site made to look like a an error message "Your password needs to be updated" to phish out the current password.
PoC
Turn on any auth provider in Directus instance. Form a link to directus-instance/auth/login/:provider_id?redirect=http://malicious-fishing-site.com, login and get taken to malicious-site. Tested on the ory OAuth2 integration.
Impact
Users who login via OAuth2 into Directus.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "directus"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.10.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-28239"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-12T20:50:48Z",
"nvd_published_at": "2024-03-12T21:15:59Z",
"severity": "MODERATE"
},
"details": "### Summary\nThe authentication API has a `redirect` parameter that can be exploited as an open redirect vulnerability as the user tries to log in via the API URL https://docs.directus.io/reference/authentication.html#login-using-sso-providers /auth/login/google?redirect for example.\n\n### Details\nThere\u0027s a redirect that is done after successful login via the Auth API GET request to `directus/auth/login/google?redirect=http://malicious-fishing-site.com`, which I think is here: https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L394. While credentials don\u0027t seem to be passed to the attacker site, the user can be phished into clicking a legitimate directus site and be taken to a malicious site made to look like a an error message \"Your password needs to be updated\" to phish out the current password.\n\n### PoC\nTurn on any auth provider in Directus instance. Form a link to `directus-instance/auth/login/:provider_id?redirect=http://malicious-fishing-site.com`, login and get taken to malicious-site. Tested on the `ory` OAuth2 integration.\n\n### Impact\nUsers who login via OAuth2 into Directus.",
"id": "GHSA-fr3w-2p22-6w7p",
"modified": "2024-03-13T22:25:56Z",
"published": "2024-03-12T20:50:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/directus/directus/security/advisories/GHSA-fr3w-2p22-6w7p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28239"
},
{
"type": "WEB",
"url": "https://github.com/directus/directus/commit/5477d7d61babd7ffc2f835d399bf79611b15b203"
},
{
"type": "WEB",
"url": "https://docs.directus.io/reference/authentication.html#login-using-sso-providers"
},
{
"type": "PACKAGE",
"url": "https://github.com/directus/directus"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "URL Redirection to Untrusted Site in OAuth2/OpenID in directus"
}
GHSA-FR5J-M6WX-273V
Vulnerability from github – Published: 2025-06-20 00:30 – Updated: 2025-06-20 00:30A vulnerability classified as problematic has been found in PHPGurukul COVID19 Testing Management System 2021. Affected is an unknown function of the file /search-report-result.php. The manipulation of the argument q leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
{
"affected": [],
"aliases": [
"CVE-2025-6286"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-19T23:15:22Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as problematic has been found in PHPGurukul COVID19 Testing Management System 2021. Affected is an unknown function of the file /search-report-result.php. The manipulation of the argument q leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-fr5j-m6wx-273v",
"modified": "2025-06-20T00:30:32Z",
"published": "2025-06-20T00:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6286"
},
{
"type": "WEB",
"url": "https://phpgurukul.com"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.313290"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.313290"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.593794"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-FR6H-CVQR-2JQ8
Vulnerability from github – Published: 2023-09-06 18:30 – Updated: 2024-01-25 18:30A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to redirect a user to a malicious web page.
This vulnerability is due to improper input validation of the parameters in an HTTP request. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to redirect a user to a malicious website.
{
"affected": [],
"aliases": [
"CVE-2023-20263"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-06T18:15:08Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to redirect a user to a malicious web page.\n\n\n This vulnerability is due to improper input validation of the parameters in an HTTP request. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to redirect a user to a malicious website.",
"id": "GHSA-fr6h-cvqr-2jq8",
"modified": "2024-01-25T18:30:43Z",
"published": "2023-09-06T18:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20263"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-redirect-UxLgqdUF"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FR8H-R296-XGGF
Vulnerability from github – Published: 2024-12-12 12:31 – Updated: 2024-12-12 12:31An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 17.4.6, starting from 17.5 prior to 17.5.4, and starting from 17.6 prior to 17.6.2, injection of NEL headers in k8s proxy response could lead to session data exfiltration.
{
"affected": [],
"aliases": [
"CVE-2024-11274"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-12T12:15:22Z",
"severity": "HIGH"
},
"details": "An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 17.4.6, starting from 17.5 prior to 17.5.4, and starting from 17.6 prior to 17.6.2, injection of NEL headers in k8s proxy response could lead to session data exfiltration.",
"id": "GHSA-fr8h-r296-xggf",
"modified": "2024-12-12T12:31:14Z",
"published": "2024-12-12T12:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11274"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2813673"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/504707"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FRC9-G2R4-48W5
Vulnerability from github – Published: 2023-06-22 21:30 – Updated: 2024-10-17 15:31A URL parameter during login flow was vulnerable to injection. An attacker could insert a malicious domain in this parameter, which would redirect the user after auth and send the authorization token to the redirected domain.
{
"affected": [],
"aliases": [
"CVE-2023-28799"
],
"database_specific": {
"cwe_ids": [
"CWE-1287",
"CWE-20",
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-22T20:15:09Z",
"severity": "MODERATE"
},
"details": "\nA URL parameter during login flow was vulnerable to injection. An attacker could insert a malicious domain in this parameter, which would redirect the user after auth and send the authorization token to the redirected domain.\u00a0",
"id": "GHSA-frc9-g2r4-48w5",
"modified": "2024-10-17T15:31:06Z",
"published": "2023-06-22T21:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28799"
},
{
"type": "WEB",
"url": "https://help.zscaler.com/client-connector/client-connector-app-release-summary-2022?applicable_category=Linux\u0026applicable_version=1.4\u0026deployment_date=2022-10-31\u0026id=1420246"
},
{
"type": "WEB",
"url": "https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=Android\u0026applicable_version=1.10.2\u0026deployment_date=2023-03-09\u0026id=1447706"
},
{
"type": "WEB",
"url": "https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=Chrome%20OS\u0026applicable_version=1.10.1\u0026deployment_date=2023-03-10\u0026id=1447771"
},
{
"type": "WEB",
"url": "https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=iOS\u0026applicable_version=1.9.3\u0026deployment_date=2023-03-03\u0026id=1447071"
},
{
"type": "WEB",
"url": "https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=macOS\u0026applicable_version=3.9\u0026deployment_date=2023-01-25\u0026id=1443546"
},
{
"type": "WEB",
"url": "https://help.zscaler.com/zscaler-client-connector/client-connector-app-release-summary-2021?applicable_category=Windows\u0026applicable_version=3.7\u0026deployment_date=2021-11-26\u0026id=1386541"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FRHP-4QGH-C626
Vulnerability from github – Published: 2023-10-19 00:30 – Updated: 2024-04-04 08:46zzzcms v2.2.0 was discovered to contain an open redirect vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-45909"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-18T23:15:08Z",
"severity": "MODERATE"
},
"details": "zzzcms v2.2.0 was discovered to contain an open redirect vulnerability.",
"id": "GHSA-frhp-4qgh-c626",
"modified": "2024-04-04T08:46:48Z",
"published": "2023-10-19T00:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45909"
},
{
"type": "WEB",
"url": "https://github.com/Num-Nine/CVE/issues/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FRVG-P8G8-45CJ
Vulnerability from github – Published: 2026-02-16 12:30 – Updated: 2026-05-07 09:31URL Redirection to Untrusted Site ('Open Redirect') vulnerability in TR7 Cyber Defense Inc. Web Application Firewall allows Phishing.This issue affects Web Application Firewall: from 4.30 through 16022026.
NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-2418"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-16T12:16:22Z",
"severity": "MODERATE"
},
"details": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in TR7 Cyber \u200b\u200bDefense Inc. Web Application Firewall allows Phishing.This issue affects Web Application Firewall: from 4.30 through 16022026.\n\nNOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-frvg-p8g8-45cj",
"modified": "2026-05-07T09:31:26Z",
"published": "2026-02-16T12:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2418"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0066"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-26-0066"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- Use a list of approved URLs or domains to be used for redirection.
Mitigation
Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page.
Mitigation MIT-21.2
Strategy: Enforcement by Conversion
- When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
- For example, ID 1 could map to "/login.asp" and ID 2 could map to "http://www.example.com/". Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability.
Mitigation
Ensure that no externally-supplied requests are honored by requiring that all redirect requests include a unique nonce generated by the application [REF-483]. Be sure that the nonce is not predictable (CWE-330).
Mitigation MIT-6
Strategy: Attack Surface Reduction
- Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.
- Many open redirect problems occur because the programmer assumed that certain inputs could not be modified, such as cookies and hidden form fields.
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-178: Cross-Site Flashing
An attacker is able to trick the victim into executing a Flash document that passes commands or calls to a Flash player browser plugin, allowing the attacker to exploit native Flash functionality in the client browser. This attack pattern occurs where an attacker can provide a crafted link to a Flash document (SWF file) which, when followed, will cause additional malicious instructions to be executed. The attacker does not need to serve or control the Flash document. The attack takes advantage of the fact that Flash files can reference external URLs. If variables that serve as URLs that the Flash application references can be controlled through parameters, then by creating a link that includes values for those parameters, an attacker can cause arbitrary content to be referenced and possibly executed by the targeted Flash application.