/
redirect-to-request-uri.yaml
35 lines (35 loc) · 1.1 KB
/
redirect-to-request-uri.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
rules:
- id: redirect-to-request-uri
patterns:
- pattern-either:
- pattern: |
header('$LOCATION' . $_SERVER['REQUEST_URI']);
- pattern: |
header('$LOCATION' . $_SERVER['REQUEST_URI'] . $MORE);
- metavariable-regex:
metavariable: $LOCATION
regex: '^(?i)location:\s*$'
message: >-
Redirecting to the current request URL may redirect to another domain, if
the current path starts with two slashes.
E.g. in https://www.example.com//attacker.com, the value of REQUEST_URI
is //attacker.com, and redirecting to it will redirect to that domain.
metadata:
references:
- https://www.php.net/manual/en/reserved.variables.server.php
- https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html
category: security
technology:
- php
owasp:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
cwe:
- "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
likelihood: MEDIUM
impact: LOW
confidence: MEDIUM
subcategory:
- vuln
languages: [php]
severity: WARNING