Unsanitized user input in redirect

  • Rule ID: javascript_lang_open_redirect
  • Languages: javascript
  • Source: open_redirect.yml

Description

Using unsanitized user input in redirects increases the risk of phishing attacks. This vulnerability occurs when an application dynamically redirects users to a URL that includes user-controlled input without proper validation or sanitization.

Remediations

  • Do not directly use user input in redirect URLs. This can lead to phishing attacks where attackers can redirect users to malicious sites.
  • Do validate and sanitize all user input used in redirects. Ensure that the destination URLs are safe and intended. Use a whitelist of allowed URLs if possible.
  • Do use server-side redirection methods that do not allow user input to directly influence the destination. This ensures that the application controls the redirect targets.

References

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_open_redirect

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_open_redirect