URL Redirection to Untrusted Site ('Open Redirect')
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect.
An open redirect vulnerability occurs when an application takes user input and uses it to redirect the user to a different URL. Attackers can exploit this to redirect users to malicious sites.
이 취약점을 수정하는 방법
4개의 Shoulder 탐지 규칙을 기반으로 한 Open Redirect 예방 전략.
Validate redirect URLs against an allowlist of trusted domains
package main - import "net/http" - - func handler(w http.ResponseWriter, r *http.Request) { - target := r.URL.Query().Get("redirect") - // Vulnerable: redirect to user-controlled URL + import ( + "net/http" + "net/url" + ) + + var allowedHosts = map[string]bool{ + "example.com": true, + "app.example.com": true, + } + + func handler(w http.ResponseWriter, r *http.Request) { + target := r.URL.Query().Get("redirect") + u, err := url.Parse(target) + if err != nil || (u.Host != "" && !allowedHosts[u.Host]) { + http.Error(w, "Invalid redirect URL", http.StatusBadRequest) + return + } + // Safe: only allows relative paths or allowed domains http.Redirect(w, r, target, http.StatusFound) }
Validate redirect targets against an allowlist of permitted paths
- export function middleware(request) { - const redirectUrl = request.nextUrl.searchParams.get('redirect'); - if (redirectUrl) { - return NextResponse.redirect(redirectUrl); - } + const ALLOWED_PATHS = ['/login', '/dashboard', '/profile']; + + export function middleware(request) { + const redirect = request.nextUrl.searchParams.get('redirect'); + if (redirect && ALLOWED_PATHS.includes(redirect)) { + return NextResponse.redirect(new URL(redirect, request.url)); + } + return NextResponse.redirect(new URL('/', request.url)); }
Validate redirect URLs against an allowlist or enforce relative paths
const express = require('express'); const app = express(); - app.get('/redirect', (req, res) => { - const url = req.query.url; - res.redirect(url); + const ALLOWED_REDIRECTS = ['/home', '/dashboard', '/profile']; + + app.get('/redirect', (req, res) => { + const url = req.query.url; + if (ALLOWED_REDIRECTS.includes(url) || url.startsWith('/')) { + res.redirect(url); + } else { + res.redirect('/home'); + } });
Validate redirect URLs against a domain allowlist or use relative paths
from flask import request, redirect - - @app.route('/goto') - def goto(): - url = request.args.get('url') + from urllib.parse import urlparse + + ALLOWED_DOMAINS = {"myapp.com", "www.myapp.com"} + + @app.route('/goto') + def goto(): + url = request.args.get('url', '/') + parsed = urlparse(url) + if parsed.netloc and parsed.netloc not in ALLOWED_DOMAINS: + url = '/' return redirect(url)
코드에서 취약점 찾기
Shoulder를 사용하여 코드에서 URL Redirection to Untrusted Site ('Open Redirect') 패턴을 스캔하세요. 4 규칙.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=601 # Or scan entire project npx @shoulderdev/cli trust .
탐지 규칙 (4)
코드 리뷰에서 주의할 점
이 패턴은 잠재적인 URL Redirection to Untrusted Site ('Open Redirect') 취약점을 나타냅니다. 코드 리뷰와 보안 감사 중에 찾아보세요.
코드베이스를 스캔하세요: URL Redirection to Untrusted Site ('Open Redirect')
Shoulder CLI는 전체 코드베이스에서 취약한 패턴을 찾아냅니다.