Introducing Qwiet AI AutoFix! Reduce the time to secure code by 95% Read More

# Open Redirects

An *HTTP redirect* is when a web-server returns an HTTP status code like 302 to tell the browser to make a request to a different URL. Redirects can also be performed in client-side JavaScript code by updating the browser URL directly.

Redirects are commonly used to push a user to an authentication page before viewing some protected content. In this scenario, the user will often be redirected again back to the original resource once they have successfully logged in.

If a redirect URL is pulled from a preceding HTTP request, you need to check the URL is safe before redirecting the user. Typically, this means checking the URL is a **relative URL** to a resource hosted under your web domain. **Open redirects** – which allow a maliciously crafted link to redirect the user to arbitrary third-party domains – are often used by spammers to disguise harmful links in emails.

## Disallowing Offsite Redirects

There are a number of ways of doing redirects in JavaScript frameworks code – updating the `window.location` directly, using the browser’s history API, or using a router component. Whichever method you use, it is important to check that the URL you are redirecting to is a relative URL – that is, it starts with a single `/` character:

=== Angular

“`typescript
export class LoginComponent {// The username and password entered by the user in the login form.
username = ”;
password = ”;

// The destination URL to redirect the user to once they log in successfully.
destinationURL = ‘/feed’

constructor(private authService : AuthService,
private route : ActivatedRoute,
private router : Router) { }

ngOnInit() {
this.destinationURL = this.route.snapshot.queryParams[‘destination’] || ‘/feed’;
}

onSubmit() {
this.authService.login(this.username, this.password)
.subscribe(
() => {
// After the user has lgged in, redirect them to their desired destination.
let url = this.destinationURL

// Confirm that the URL is a relative path – i.e. starting with a single ‘/’ characters.
if (!url.match(/^\/[^\/\\]/)) {
url = ‘/feed’
}

this.router.navigate([ url ])
})
}
}
“`

=== React

“`jsx
/**
* A wrapper for <Route> that redirects to /feed if the user is authenticated.
*/
function UnauthenticatedRoute(props) {
if (!props.loggedIn) {
return <Route {…props} />
}// If the user has just authenticated, check the query string for their intended destination.
const parsed = queryString.parse(props.location.search)

let url = ‘/feed’

// Ensure this is a relative URL within the site (i.e. it starts with a single / character.)
if (parsed.destination && parsed.destination.match(/^\/[^\/\\]/)) {
url = parsed.destination
}

return <Redirect to={{ pathname: url }} />
}
“`

This code makes sure all redirect URLs are relative paths URLs – i.e. they start with a single `/` character. (Note that URLs starting with `//` will be interpreted by the browser as a protocol agnostic, absolute URL – so they should be rejected too.)

## Other Considerations

Open redirects in client-side code occur when your site redirects to a URL taken from an untrusted source – usually either the query string or the URL fragment of the current URL. If you are sending the user to the login page with the intention of redirecting after they log in, consider writing the redirect URL to `localStorage` or `sessionStorage` instead of putting it in the query string. This removes the ability of an attacker to smuggle in malicious redirect URLs.

## CWEs

* [CWE-601](https://cwe.mitre.org/data/definitions/601.html)

About ShiftLeft

ShiftLeft empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, ShiftLeft CORE scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, ShiftLeft then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use ShiftLeft ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, ShiftLeft is based in Santa Clara, California. For information, visit: www.shiftleft.io.

Share

See for yourself – run a scan on your code right now

try it for free
Subscribe to newsletter
Privacy Policy Terms of Service © 2024 Qwiet. All rights reserved
Services
Company
Platform
Resources
Log In