Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
URL redirection
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Security issues== URL redirection can be abused by attackers to perform [[phishing]] attacks. If a redirect target is not sufficiently validated by a web application, an attacker can make a web application redirect to an arbitrary website. This vulnerability is known as an open-redirect vulnerability.<ref name=":0">{{Cite book |last1=Innocenti |first1=Tommaso |last2=Golinelli |first2=Matteo |last3=Onarlioglu |first3=Kaan |last4=Mirheidari |first4=Ali |last5=Crispo |first5=Bruno |last6=Kirda |first6=Engin |chapter=OAuth 2.0 Redirect URI Validation Falls Short, Literally |date=2023-12-04 |title=Annual Computer Security Applications Conference |chapter-url=https://dl.acm.org/doi/10.1145/3627106.3627140 |series=ACSAC '23 |location=New York, NY, USA |publisher=Association for Computing Machinery |pages=256โ267 |doi=10.1145/3627106.3627140 |isbn=979-8-4007-0886-2|hdl=11572/399070 |hdl-access=free }}</ref><ref name="Open_Redirect"/> In certain cases when an open redirect occurs as part of an [[authentication]] flow, the vulnerability is known as a covert redirect.<ref name="Covert_Redirect" /><ref name="CNET" /> When a covert redirect occurs, the attacker website can steal [[Authentication cookie|authentication information]] from the victim website.<ref name=":0" /> Open redirect vulnerabilities are fairly common on the web. In June 2022, TechRadar found over 25 active examples of open redirect vulnerabilities on the web, including sites like [[Google]] and [[Instagram]].<ref>{{Cite web |author1=Mike Williams |date=2022-06-05 |title=What is an Open Redirect vulnerability, why is it dangerous and how can you stay safe? |url=https://www.techradar.com/features/what-is-open-redirect-vulnerability |access-date=2024-04-08 |website=TechRadar |language=en}}</ref> Open redirects have their own CWE identifier, CWE-601.<ref>{{Cite web |title=CWE - CWE-601: URL Redirection to Untrusted Site ('Open Redirect') (4.14) |url=https://cwe.mitre.org/data/definitions/601.html |access-date=2024-04-08 |website=cwe.mitre.org}}</ref> URL redirection also provides a mechanism to perform [[cross-site leak]] attacks. By timing how long a website took to return a particular page or by differentiating one destination page from another, an attacker can gain significant information about another website's state. In 2021, Knittel et al. discovered a vulnerability in the Chrome's Performance API implementation which allowed them to reliably detect cross-origin redirects.<ref>{{Cite book |last1=Knittel |first1=Lukas |last2=Mainka |first2=Christian |last3=Niemietz |first3=Marcus |last4=Noร |first4=Dominik Trevor |last5=Schwenk |first5=Jรถrg |chapter=XSinator.com: From a Formal Model to the Automatic Evaluation of Cross-Site Leaks in Web Browsers |date=2021-11-13 |title=Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security |chapter-url=https://dl.acm.org/doi/10.1145/3460120.3484739 |series=CCS '21 |location=New York, NY, USA |publisher=Association for Computing Machinery |pages=1771โ1788 |doi=10.1145/3460120.3484739 |isbn=978-1-4503-8454-4}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)