Open redirect detected.

Rule ID: php_lang_open_redirect
Languages: php
Source: open_redirect.yml

Description

A redirect using unsanitized user input is bad practice and puts your application at greater risk of phishing attacks.

Remediations

❌ Do not use unsanitized user input when constructing URLs

✅ Instead, ensure the input is validated by using a safe list or a mapping when constructing URLs

  $paths = [
    "1" => "/planes",
    "2" => "/trains",
    "3" => "/automobiles",
  ];

  $transport = $_GET["transport"];
  header("Location: {$paths[$transport]}", true, 301);

Resources

OWASP open redirect

Associated CWE

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

OWASP Top 10

A01:2021 - Broken Access Control

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_lang_open_redirect

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_lang_open_redirect

Ready to take the next step? Learn more about Bearer Cloud.