Content deleted Content added
Reverted 1 edit by 103.158.159.222 (talk) |
Sohom Datta (talk | contribs) |
||
Line 296:
==Security issues==
=== Open redirects ===
URL redirection can be abused by attackers to perform [[phishing]] attacks. If a redirect target is not sufficiently validated by an web application, an attacker can make a web application redirect to a arbitrary website. This vulnerability is know as an open-redirect vulnerability.<ref name=":0">{{Cite journal |last=Innocenti |first=Tommaso |last2=Golinelli |first2=Matteo |last3=Onarlioglu |first3=Kaan |last4=Mirheidari |first4=Ali |last5=Crispo |first5=Bruno |last6=Kirda |first6=Engin |date=2023-12-04 |title=OAuth 2.0 Redirect URI Validation Falls Short, Literally |url=https://dl.acm.org/doi/10.1145/3627106.3627140 |journal=Proceedings of the 39th Annual Computer Security Applications Conference |series=ACSAC '23 |location=New York, NY, USA |publisher=Association for Computing Machinery |pages=256–267 |doi=10.1145/3627106.3627140 |isbn=979-8-4007-0886-2}}</ref> In certain cases when a open redirect occurs as part of a [[authentication]] flow, the vulnerability is known as a covert redirect. When a covert redirect occur, the attacker website can steal [[Authentication cookie|authentication information]] from the victim website.<ref name=":0" /> Open redirect vulnerabilities are fairly common on the web. In June 2022, TechRadar found over 25 active examples of open redirect vulnerabilities on the web, including sites like [[Google]] and [[Instagram]].<ref>{{Cite web |last=published |first=Mike Williams |date=2022-06-05 |title=What is an Open Redirect vulnerability, why is it dangerous and how can you stay safe? |url=https://www.techradar.com/features/what-is-open-redirect-vulnerability |access-date=2024-04-08 |website=TechRadar |language=en}}</ref> Open redirects have their own CWE identifier, CWE-601.<ref>{{Cite web |title=CWE - CWE-601: URL Redirection to Untrusted Site ('Open Redirect') (4.14) |url=https://cwe.mitre.org/data/definitions/601.html |access-date=2024-04-08 |website=cwe.mitre.org}}</ref>
==See also==
|