Recently removed from the OWASP Top Ten, unvalidated redirects and forwards are a sub-set of the problem of poor input validation. If you properly validate all input, including input in the address bar and/or obtained from the user, you will not have this problem.
Below is a rehash of input validation, from the viewpoint of using redirects and forwards.
- Do not use anything from URL parameters to make decisions for your application, and this includes URLs to different sites (redirects and forwards).
- If you need to use redirects or forwards, if you need to pass this information, do it in a secure cookie.
- Validate your URLs, just like you would validate any data. Ensure that the supplied value is valid, appropriate for the application, and that the user is authorized to access that URL.
- The easiest strategy is to avoid using redirects and forwards altogether, if possible.
For further reading, visit the entry for this topic on the OWASP Top Ten 2013 project page.
Up next in the ‘Pushing Left, Like a Boss’ series: URL Parameters.