CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
常见后果
影响范围: Access Control
技术影响: Bypass Protection Mechanism Gain Privileges or Assume Identity
说明: The user may be redirected to an untrusted page that contains malware which may then compromise the user's system. In some cases, an open redirect can also enable the immediate download of a file without the user's permission, because the redirection to an external site may lead to endpoints on those sites that automatically trigger a download action ("drive-by download" [REF-1478]). This will expose the user to extensive risk. The user's interaction with the web server may also be compromised if the malware conducts keylogging or other attacks that steal credentials, personally identifiable information (PII), or other important data.
影响范围: Access Control Confidentiality Other
技术影响: Bypass Protection Mechanism Gain Privileges or Assume Identity Other
说明: By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam. The user may be subjected to phishing attacks by being redirected to an untrusted page. The phishing attack may point to an attacker controlled web page that appears to be a trusted web site. The phishers may then steal the user's credentials and then use these credentials to access the legitimate web site. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.
潜在缓解措施
阶段: Implementation
策略: Input Validation
阶段: Architecture and Design
描述: Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page.
阶段: Architecture and Design
策略: Enforcement by Conversion
阶段: Architecture and Design
描述: Ensure that no externally-supplied requests are honored by requiring that all redirect requests include a unique nonce generated by the application [REF-483]. Be sure that the nonce is not predictable (CWE-330).
阶段: Architecture and Design Implementation
策略: Attack Surface Reduction
阶段: Operation
策略: Firewall
描述: Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
有效性: Moderate
检测方法
方法: Manual Static Analysis
Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.
有效性: High
方法: Automated Dynamic Analysis
Automated black box tools that supply URLs to every input may be able to spot Location header modifications, but test case coverage is a factor, and custom redirects may not be detected.
方法: Automated Static Analysis
Automated static analysis tools may not be able to determine whether input influences the beginning of a URL, which is important for reducing false positives.
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
有效性: High
方法: Automated Static Analysis - Binary or Bytecode
有效性: High
方法: Dynamic Analysis with Automated Results Interpretation
有效性: High
方法: Dynamic Analysis with Manual Results Interpretation
有效性: High
方法: Manual Static Analysis - Source Code
有效性: High
方法: Automated Static Analysis - Source Code
有效性: High
方法: Architecture or Design Review
有效性: High
观察示例
参考: CVE-2005-4206
URL parameter loads the URL into a frame and causes it to appear to be part of a valid page.
参考: CVE-2008-2951
An open redirect vulnerability in the search script in the software allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL as a parameter to the proper function.
参考: CVE-2008-2052
Open redirect vulnerability in the software allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the proper parameter.
参考: CVE-2020-11053
Chain: Go-based Oauth2 reverse proxy can send the authenticated user to another site at the end of the authentication flow. A redirect URL with HTML-encoded whitespace characters can bypass the validation (CWE-1289) to redirect to a malicious site (CWE-601)
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. |
| Implementation | - |
适用平台
编程语言
技术
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| WASC | 38 | URl Redirector Abuse | - |
| Software Fault Patterns | SFP24 | Tainted input to command | - |