Unvalidated DOM redirect

High Web Application Scanning Plugin ID 98103


Unvalidated DOM redirect


Web applications occasionally use DOM input values to store the address of the page to which the client will be redirected -- for example: `yoursite.com/#/?redirect=www.yoursite.com/404.asp`
An unvalidated redirect occurs when the client is able to modify the affected parameter value and thus control the location of the redirection. For example, the following URL `yoursite.com/#/?redirect=www.anothersite.com` will redirect to `www.anothersite.com`.
Cyber-criminals will abuse these vulnerabilities in social engineering attacks to get users to unknowingly visit malicious web sites.
Scanner has discovered that the web page does not validate the parameter value prior to redirecting the client to the injected value.


The application should ensure that the supplied value for a redirect is permitted. This can be achieved by performing whitelisting on the parameter value.
The whitelist should contain a list of pages or sites that the application is permitted to redirect users to. If the supplied value does not match any value in the whitelist then the server should redirect to a standard error page.

Plugin Details

Severity: High

ID: 98103

File Name: was_unvalidated_redirect_dom.nasl

Type: remote

Published: 2017/03/31

Modified: 2017/10/16

Risk Information

Risk Factor: High

Reference Information