Applications frequently redirect users to other pages, or use internal forwards in a similar manner. Sometimes the target page is specified in an unvalidated parameter, allowing attackers to choose the destination page. Detecting unchecked redirects is easy. Look for redirects where you can set the full URL. Unchecked forwards are harder, because they target internal pages.
Technical Specifications
- Technical specifications
- WASC TC v2.0 Classes Coverage
- WASC TC v1.0 Classes Coverage
- OWASP Top Ten 2013 Coverage
- OWASP Top Ten 2010 Coverage
- OWASP Top Ten 2007 Coverage
- OWASP Top Ten 2004 Coverage
- 2011 CWE/SANS Top 25 Coverage
- 2010 CWE/SANS Top 25 Coverage
- 2009 CWE/SANS Top 25 Coverage
- The Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standard (PCI DSS)
- NIST Special Publication 800-53
- Sarbanes-Oxley Act (SOX)
- DISA Security Technical Implementation Guide (STIG)
- ISO/IEC 27001:2005 Coverage
- ISO/IEC 27001:2013 Coverage
OWASP Top 10 2013 Contents
- OWASP Top Ten 2013
- Injection
- Broken Authentication and Session Management
- Cross-Site Scripting, XSS
- Insecure Direct Object References
- Security Misconfiguration
- Sensitive Data Exposure
- Missing Function Level Access Control
- Cross-Site Request Forgery, CSRF
- Using Components with Known Vulnerabilities
- Unvalidated Redirects and Forwards