1. Home
  2. CWE Database
  3. CWE-601
Base · Medium

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

CWE-601 · Base Level ·4 CVEs ·6 Mitigations

Description

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Open Redirect Guide

Read our in-depth guide on exploiting and mitigating this weakness

Potential Impact

Access Control

Bypass Protection Mechanism, Gain Privileges or Assume Identity

Access Control, Confidentiality, Other

Bypass Protection Mechanism, Gain Privileges or Assume Identity, Other

Demonstrative Examples

The following code obtains a URL from the query string and then redirects the user to that URL.
Bad
$redirect_url = $_GET['url'];header("Location: " . $redirect_url);
The problem with the above code is that an attacker could use this page as part of a phishing scam by redirecting users to a malicious site. For example, assume the above code is in the file example.php. An attacker could supply a user with the following link:
Attack
http://example.com/example.php?url=http://malicious.example.com
The user sees the link pointing to the original trusted site (example.com) and does not realize the redirection that could take place.
The following code is a Java servlet that will receive a GET request with a url parameter in the request to redirect the browser to the address specified in the url parameter. The servlet will retrieve the url parameter value from the request and send a response to redirect the browser to the url address.
Bad
public class RedirectServlet extends HttpServlet {
                     
                        protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {String query = request.getQueryString();if (query.contains("url")) {String url = request.getParameter("url");response.sendRedirect(url);}}
                     }
The problem with this Java servlet code is that an attacker could use the RedirectServlet as part of an e-mail phishing scam to redirect users to a malicious site. An attacker could send an HTML formatted e-mail directing the user to log into their account by including in the e-mail the following link:
Attack
<a href="http://bank.example.com/redirect?url=http://attacker.example.net">Click here to log in</a>
The user may assume that the link is safe since the URL starts with their trusted bank, bank.example.com. However, the user will then be redirected to the attacker's web site (attacker.example.net) which the attacker may have made to appear very similar to bank.example.com. The user may then unwittingly enter credentials into the attacker's web page and compromise their bank account. A Java servlet should never redirect a user to a URL without verifying that the redirect address is a trusted site.

Mitigations & Prevention

Implementation

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across relat

Architecture and Design

Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page.

Architecture and Design

When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. For example, ID 1 could map to "/login.asp" and ID 2 could map to "http://www.example.com/". Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability.

Architecture and Design

Ensure that no externally-supplied requests are honored by requiring that all redirect requests include a unique nonce generated by the application [REF-483]. Be sure that the nonce is not predictable (CWE-330).

Architecture and DesignImplementation

Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls. Many open redirect problems occur because the programmer assumed th

Operation Moderate

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

Detection Methods

  • Manual Static Analysis High — Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.
  • Automated Dynamic Analysis — Automated black box tools that supply URLs to every input may be able to spot Location header modifications, but test case coverage is a factor, and custom redirects may not be detected.
  • Automated Static Analysis — Automated static analysis tools may not be able to determine whether input influences the beginning of a URL, which is important for reducing false positives.
  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
  • Automated Static Analysis - Binary or Bytecode High — According to SOAR [REF-1479], the following detection techniques may be useful:
  • Dynamic Analysis with Automated Results Interpretation High — According to SOAR [REF-1479], the following detection techniques may be useful:

Real-World CVE Examples

CVE IDDescription
CVE-2005-4206URL parameter loads the URL into a frame and causes it to appear to be part of a valid page.
CVE-2008-2951An open redirect vulnerability in the search script in the software allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL as a parameter to the proper
CVE-2008-2052Open redirect vulnerability in the software allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the proper parameter.
CVE-2020-11053Chain: Go-based Oauth2 reverse proxy can send the authenticated user to another site at the end of the authentication flow. A redirect URL with HTML-encoded whitespace characters can bypass the valida

CWE-610: Externally Controlled Reference to a Resource in Another Sphere

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended ...

Taxonomy Mappings

  • WASC: 38 — URl Redirector Abuse
  • Software Fault Patterns: SFP24 — Tainted input to command

Frequently Asked Questions

What is CWE-601?

CWE-601 (URL Redirection to Untrusted Site ('Open Redirect')) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

How can CWE-601 be exploited?

Attackers can exploit CWE-601 (URL Redirection to Untrusted Site ('Open Redirect')) to bypass protection mechanism, gain privileges or assume identity. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.

How do I prevent CWE-601?

Key mitigations include: Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not stric

What is the severity of CWE-601?

CWE-601 is classified as a Base-level weakness (Medium abstraction). It has been observed in 4 real-world CVEs.