Security Unvalidated Redirects Prevention

security-unvalidated-redirects-and-forwards

// Security - Unvalidate Redirects - Prevention:

There are several common mitigations that can be used to prevent open redirects 
from occuring. The primary mitigations are as follows:

1. Do not use URL parameters for redirection. If you can hardcode the redirect 
   information client side, there is nothing for an attacker to leverage. 

2. If parameter based redirection is needed, force relative urls such as 
   "/home/home.jsp"

3. If relative URL's are too restrictive, a whitelisting approach can be 
   employed to check the redirect parameter against a list of known good hosts. 
   You can even take this a step further and map out specific endpoints with 
   keys like this:

   Example: c.na1.visual.force.com/apex?retUrl=1.  Maintain a mapping in code 
   or object that maps parameter retUrl numbers to actual URLS.

   Map<Integer, String> urlMappings = new Map<Integer, 
     String>{1=> '/home/home.jsp',2=> 'https://www.salesforce.com'};

So, to avoid the issue with open redirect:

1. Do not use a parameter to redirect

2. If we do use a parameter to redirect, make sure we validate the parameters, 
   perhaps by appending another parameter that acts as a verification parameter.  
   This verification parameter would involve using a server side function that 
   takes the URL to be redirected to, a server-side secret, and returns an SHA1 
   or MD5 checksum of these two parameters.  Before we redirect, we need to 
   verify that the verification parameter is a valid checksum (it matches with 
   the result of the server-side function when we re-run the server-sdie 
   function).

Safe use of redirects and forwards can be done in a number of ways:

1. Simply avoid using redirects and forwards.

2. If used, don’t involve user parameters in calculating the destination. This 
   can usually be done.

3. If destination parameters can’t be avoided, ensure that the supplied value is 
   valid, and authorized for the user.

4. It is recommended that any such destination parameters be a mapping value, 
   rather than the actual URL or portion of the URL, and that server side code 
   translate this mapping to the target URL.

5. Applications can use ESAPI to override the sendRedirect() method to make 
   sure all redirect destinations are safe.

Avoiding such flaws is extremely important as they are a favorite target of 
phishers trying to gain the user’s trust.
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License