# Unvalidated Redirects and Forwards

## Overview

Unvalidated Redirects and forwards occur when user input is used without filter to redirect  the webpage, sending the user to the user supplied URL. By modifying untrusted URL input to a malicious website, an attacker may successfully launch a phishing attack to steal the users credentials. Due to the server name being the same as the original trusted website, phishing attempts have a more valid looking and trustworthy appearance that will pass through email filters and more easily trick users into clicking the link. &#x20;

For example  the URL <https://website.com/?urlparameter=\\><url> where the application uses the *urlparameter* URL variable input to redirect the user to that URL. Thus entering `https://website.com/?urlparameter=google.com` would redirect the end user to google.&#x20;

## Example

This example from appsecco's DVNA illustrates a simple invalidated redirect in Node JS. The vulnerable URL is `http://127.0.0.1/app/redirect?url=<url>`. Entering any URL in the url  parameter will redirect the user to that URL: `https://127.0.0.1/app/redirect?url=google.com` will redirect the user to google.com.

The code that handles this functionality is in /core/apphandler.js. The function takes the request and on line 2 checks if the request has a value for the URL variable, if so it immediately redirects to the URL without any checks or prompts for user awareness.&#x20;

```
module.exports.redirect = function(req,res){
    if(req.query.url){
        res.redirect(req.query.url)
    }else{
        res.send('invalid redirect url')
    }
}
```

The solution implemented is to use an interceptor page which requires the end user to submit their approval for the URL before the page is redirected.&#x20;

{% embed url="<https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html>" %}

{% embed url="<https://appsecco.com/books/dvna-developers-security-guide/solution/ax-unvalidated-redirects-and-forwards.html>" %}
Appsecco DVNA source code example
{% endembed %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://evanluke.gitbook.io/appsec/url-redirect/invalidated-redirect.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.