Rule Definition
An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.

Remediation
Don't accept redirection destinations from users Accept a destination key, and use it to look up the target (legal) destination Accept only relative paths White list URLs (if possible) Validate that the beginning of the URL is part of a white list

Violation Code Sample

Sample 1: 
The following code is a Java servlet that will receive a GET request with a url parameter in the request to redirect the browser to the address specified in the url parameter. The servlet will retrieve the url parameter value from the request and send a response to redirect the browser to the url address. 

public class RedirectServlet extends HttpServlet { 
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { 
String query = request.getQueryString(); 
if (query.contains("url")) { 
String url = request.getParameter("url"); 
response.sendRedirect(url); 
} 
} 
} 


------------------------------------------------------------------------ 
Sample 2: 
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { 
    [...] 
    resp.sendRedirect(req.getParameter("redirectUrl")); 
    [...] 
}

Fixed Code Sample

response.sendRedirect("http://www.mysite.com"); // Violation FIXED

http://cwe.mitre.org/data/definitions/601 https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet