The last of the top ten security threats facing web sites and apps today are unvalidated redirects and forwards. These can happen when an intruder can cause a web application to redirect visitors to a URL of his choosing. Often, such attacks are for the purpose of tricking the user to disclose some private information (phishing attacks) or for the installation of malware. These unsafe forwards bypass a sites built-in security checks. But because these links are found on a trusted site, users are not hesitance to click on them.

To determine your site’s vulnerability one should review the use of all redirects and forwards, also known as transfers in .Net applications, and verify that the target URL in any redirection is an allowable destination. Also locate redirects and forwards in use by crawling the site with a spider looking for pages that return any HTTP response codes between 300-307. Verify that these target URLs leads to the correct destinations.

The easiest way to prevent unvalidated redirects and forwards is not to use them. When they are used do not allow them to include parameters provided by users. If user supplied parameters must be used, ensure that they are valid and provided by an authorized users. Also, in place of actual URLs, user supplied parameters could use a mapping parameter that would be translated to the correct target URL. Also, ESAPI (The OWASP Enterprise Security API) could be used to ensure that no unsafe redirects are embedded in a site.