/
open_redirect.yml
60 lines (54 loc) · 2.17 KB
/
open_redirect.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
imports:
- javascript_shared_common_user_input
patterns:
- pattern: |
$<RES>.redirect($<USER_INPUT>$<...>)
filters:
- variable: RES
detection: javascript_express_open_redirect_response
- variable: USER_INPUT
detection: javascript_shared_common_user_input
scope: result
auxiliary:
- id: javascript_express_open_redirect_response
patterns:
- res
- response
# typescript
- |
const $<_>: Response = $<!>$<_>
- |
($<...>$<!>$<_>: Response$<...>) => {}
- |
($<...>$<!>$<_>: Response$<...>) {}
- |
function ($<...>$<!>$<_>: Response$<...>) {}
- |
function $<_>($<...>$<!>$<_>: Response$<...>) {}
- |
class $<_> $<...>{ $<...>$<_>($<...>$<!>$<_>: Response$<...>) {} }
languages:
- javascript
severity: medium
metadata:
description: "Unsanitized user input in redirect"
remediation_message: |-
## Description
Using unsanitized user input for redirection can expose your application to phishing attacks. This vulnerability occurs when user input directly influences the destination of a redirect without proper validation, making it easier for attackers to redirect users to malicious sites.
## Remediations
- **Do not** use unsanitized user input to construct URLs for redirection. This can lead to security vulnerabilities where attackers could exploit the redirect to lead users to malicious sites.
- **Do** validate user input by employing a safe list or a mapping strategy for constructing URLs. This ensures that only pre-approved destinations are used for redirects, significantly reducing the risk of phishing attacks.
```javascript
var map = {
"1": "/planes",
"2": "/trains",
"3": "/automobiles",
}
res.redirect(map[req.body.transport])
```
## References
- [OWASP Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)
cwe_id:
- 601
id: "javascript_express_open_redirect"
documentation_url: https://docs.bearer.com/reference/rules/javascript_express_open_redirect