# URL Redirection to Untrusted Site ('Open Redirect') (CWE-601)

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect.

**Stack:** Python

- Prevalence: Média 3 linguagens cobertas
- Impact: Médio Revisão recomendada
- Prevention: Documentada 4 exemplos de correção

**OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1

## Description

An open redirect vulnerability occurs when an application takes user input and uses it to redirect the user to a different URL. Attackers can exploit this to redirect users to malicious sites.

## Prevention

Estratégias de prevenção para Open Redirect baseadas em 1 regras de detecção do Shoulder.

### Python

Validate redirect URLs against a domain allowlist or use relative paths

## Warning Signs

- [MEDIUM] unvalidated redirects using user input

## Consequences

- Obter privilégios
- Burlar mecanismo de proteção

## Mitigations

- Valide URLs contra uma allowlist de domínios confiáveis
- Use um sistema de mapeamento em vez de parâmetros diretos de URL
- Exiba páginas de aviso antes de redirecionar para sites externos

## Detection

- Total rules: 4
- Languages: go, javascript, typescript, python

## Rules by Language

### Python (1 rules)

- **Open Redirect** [MEDIUM]: Detects unvalidated redirects using user input.
  - Remediation: Validate redirect URLs against an allowlist of permitted domains.

```python
from urllib.parse import urlparse
ALLOWED_DOMAINS = {"myapp.com"}
if urlparse(url).netloc not in ALLOWED_DOMAINS:
    url = "/"
```

Learn more: https://shoulder.dev/learn/python/cwe-601/open-redirect