Open Redirection (DOM based)

Summary

Netsparker detected a DOM based Open Redirection vulnerability. Open redirect occurs when a web page is being redirected to another URL in another domain via a user-controlled input.

Impact

An attacker can use this vulnerability to redirect users to other malicious websites, which can be used for phishing and similar attacks.

Remediation

Where possible, do not use users' input for URLs.
If you definitely need dynamic URLs, use whitelisting. Make a list of valid, accepted URLs and do not accept other URLs.
Ensure that you only accept URLs those are located on the trusted domains.

Classifications

CWE-601, ISO27001-A.14.2.5, WASC-38, OWASP 2013-A10 , CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N

Further Reading

What is an Open Redirection Vulnerability and How to Prevent it?

Netsparker Security Insights

Separating Subdomains From Third-Party Hosted WWW Domains
Analyzing Impact of WWW Subdomain on Cookie Security
DOM Based Cross-site Scripting Vulnerability

Helpful Use Cases

Knowing and Preventing DOM-based XSS