Unsanitized user input in redirect

  • Rule ID: javascript_hapi_open_redirect
  • Languages: javascript
  • Source: open_redirect.yml

Description

A redirect using unsanitized user input is bad practice and puts your application at greater risk of phishing attacks.

Remediations

❌ Do not use unsanitized user input when constructing URLs

✅ Instead, ensure the input is validated by using a safe list or a mapping when constructing URLs

  var map = {
"1": "/planes",
"2": "/trains",
"3": "/automobiles",
}

res.redirect(map[req.body.transport])

Resources

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_hapi_open_redirect

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_hapi_open_redirect