• Never use internal transfer without authorizing the user for the target URL.
• Wherever possible, restrict the usage of your forward functionality to some set of authorized users, instead of all unauthorized users.
• Where possible, use redirect, or redirect to static locations.
• When redirecting to a parameter, validate the parameter to make sure that it is an expected redirect.
• Use weblogs to identify potential code. Look for HTTP status codes in the 300 series: 301, 302, 303, and 307.
No comments:
Post a Comment