Skip to content

Request Forgery: Open redirection Forgery

Identifier: open_redirect

Scanner(s) Support

GraphQL Scanner REST Scanner WebApp Scanner

Description

Open redirection happens when an application uses user input to decide where to send users without properly checking that input. This lets an attacker trick the app into sending users to a malicious website that looks like the legitimate one, which can help launch phishing attacks. Developers need to watch out for simple mistakes like not validating or sanitizing URL parameters, which can let attackers exploit the trust users have in the verified domain. Left unchecked, this vulnerability can erode user trust and expose them to various types of online attacks.

Configuration

Example

Example configuration:

---
security_tests:
  open_redirect:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference

assets_allowed

Type : List[AssetType]*

List of assets that this check will cover.

skip

Type : boolean

Skip the test if true.