The dangers of "Redirect" vulnerabilities

Written by KF and DP

Sunday, 29 April 2007

Redirect vulnerabilities are scripts which allow redirecting to an external site by directly calling a specific URL. These issues are often due to incorrect input validation, but are usually seen as a feature to redirect users.

What makes them dangerous is that a normal user who visits a trusted site may be redirected to a malicious one without noticing any changes (without checking the address bar). If the malicious site looks like the original one, then the user might be even more confused. Thus redirect vulnerabilities are highly critical on bank and other high-profiled web sites. There are many possible ways to obfuscate the malicious URLs, so it is often difficult to notice any change, especially if the URL is long.

We now allow submissions of these vulnerabilities, they will be mirrored with the "Redirect" category, but only the direct redirects will be accepted.

Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.