• Never use internal transfer without authorizing the user for the target URL.
• Wherever possible, restrict the usage of your forward functionality to some set of authorized users, instead of all unauthorized users.
• Where possible, use redirect, or redirect to static locations.
• When redirecting to a parameter, validate the parameter to make sure that it is an expected redirect.
• Use weblogs to identify potential code. Look for HTTP status codes in the 300 series: 301, 302, 303, and 307.
Friday, May 20, 2011
Thursday, May 19, 2011
Consequences of Unvalidated Redirects and Forwards
"Unvalidated Redirects and Forwards" threats can result in,
1. Complete spoof of your site
2. Bypassed authorization checks
1. Complete spoof of your site
2. Bypassed authorization checks
Subscribe to:
Posts (Atom)