# URL Redirection to Untrusted Site ('Open Redirect') (CWE-601) A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. **Stack:** JavaScript - Prevalence: Moyenne 3 langages couverts - Impact: Moyen Revue recommandée - Prevention: Documentée 4 exemples de correctifs **OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1 ## Description An open redirect vulnerability occurs when an application takes user input and uses it to redirect the user to a different URL. Attackers can exploit this to redirect users to malicious sites. ## Prevention Stratégies de prévention pour Open Redirect basées sur 2 règles de détection Shoulder. ### JavaScript Validate redirect targets against an allowlist of permitted paths Validate redirect URLs against an allowlist or enforce relative paths ## Warning Signs - [MEDIUM] user-controlled input flowing into redirect targets in Next - [MEDIUM] user input flowing into redirect functions without URL validation ## Consequences - Obtenir des privilèges - Contourner le mécanisme de protection ## Mitigations - Validez les URL par rapport à une liste d'autorisation de domaines de confiance - Utilisez un système de mapping plutôt que des paramètres d'URL directs - Affichez des pages d'avertissement avant de rediriger vers des sites externes ## Detection - Total rules: 4 - Languages: go, javascript, typescript, python ## Rules by Language ### Javascript (2 rules) - **Next.js Open Redirect** [MEDIUM]: Detects user-controlled input flowing into redirect targets in Next.js middleware. - Remediation: Validate redirect targets against an allowlist of permitted paths. ```typescript const ALLOWED_PATHS = ['/login', '/dashboard', '/profile']; const redirect = request.nextUrl.searchParams.get('redirect'); if (redirect && ALLOWED_PATHS.includes(redirect)) { return NextResponse.redirect(new URL(redirect, request.url)); } return NextResponse.redirect(new URL('/', request.url)); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-601/nextjs-open-redirect - **Open Redirect via Untrusted URLs** [MEDIUM]: Detects user input flowing into redirect functions without URL validation. - Remediation: Validate redirect URLs against an allowlist or ensure they are relative paths. ```javascript const ALLOWED = ['/home', '/dashboard', '/profile']; if (ALLOWED.includes(url) || url.startsWith('/')) { res.redirect(url); } ``` Learn more: https://shoulder.dev/learn/javascript/cwe-601/open-redirect ### Typescript (2 rules) - **Next.js Open Redirect** [MEDIUM]: Detects user-controlled input flowing into redirect targets in Next.js middleware. - Remediation: Validate redirect targets against an allowlist of permitted paths. ```typescript const ALLOWED_PATHS = ['/login', '/dashboard', '/profile']; const redirect = request.nextUrl.searchParams.get('redirect'); if (redirect && ALLOWED_PATHS.includes(redirect)) { return NextResponse.redirect(new URL(redirect, request.url)); } return NextResponse.redirect(new URL('/', request.url)); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-601/nextjs-open-redirect - **Open Redirect via Untrusted URLs** [MEDIUM]: Detects user input flowing into redirect functions without URL validation. - Remediation: Validate redirect URLs against an allowlist or ensure they are relative paths. ```javascript const ALLOWED = ['/home', '/dashboard', '/profile']; if (ALLOWED.includes(url) || url.startsWith('/')) { res.redirect(url); } ``` Learn more: https://shoulder.dev/learn/javascript/cwe-601/open-redirect