loading...
Microsoft Azure

Pushing Left, Like a Boss — Part 5.6 — Redirects and Forwards

shehackspurple profile image Tanya Janca ・1 min read

Pushing Left Like a Boss (23 Part Series)

1) Pushing Left, Like a Boss: Part 1 2) Pushing Left, Like a Boss! -- Part 2: Security Requirements 3 ... 21 3) Pushing Left, Like a Boss! -- Part 3: Secure Design 4) Pushing Left, Like a Boss: Part 4: Secure Coding 5) Pushing Left, Like a Boss — Part 5.1 — Input Validation, Output Encoding and Parameterized Queries 6) Pushing Left, Like a Boss — Part 5.2 — Use Safe Dependencies 7) Pushing Left, Like a Boss — Part 5.3 — Browser and Client-Side Hardening 8) Pushing Left, Like a Boss — Part 5.4 — Session Management 9) Pushing Left, Like a Boss — Part 5.5 — File Uploads 10) Pushing Left, Like a Boss — Part 5.6 — Redirects and Forwards 11) Pushing Left, Like a Boss — Part 5.7 — URL Parameters 12) Pushing Left, Like a Boss — Part 5.8 — Securing Your Cookies 13) Pushing Left, Like a Boss — Part 5.9 — Error Handling and Logging 14) Pushing Left, Like a Boss — Part 5.10 — Untrusted Data 15) Pushing Left, Like a Boss — Part 5.11 — Authorization (AuthZ) 16) Pushing Left, Like a Boss — Part 5.12 — Authentication (AuthN), Identity and Access Control 17) Pushing Left, Like a Boss — Part 5.13 — HTTPS only 18) Pushing Left, Like a Boss, Part 5.14 Secure Coding Summary 19) Pushing Left, Like a Boss - Part 6: Threat Modelling 20) Pushing Left, Like a Boss - Part 7: Code Review and Static Code Analysis 21) Pushing Left, Like a Boss - Part 8: Testing 22) Pushing Left, Like a Boss - Part 9: An AppSec Program 23) Pushing Left, Like a Boss - Part 10: Special AppSec Activities and Situations

**Previously published on my Medium blog, SheHacksPurple.

Recently removed from the OWASP Top Ten, unvalidated redirects and forwards are a sub-set of the problem of poor input validation. If you properly validate all input, including input in the address bar and/or obtained from the user, you will not have this problem.

DevOps Zurich meetup, 2017

DevOps Zurich meetup, 2017

Below is a rehash of input validation, from the viewpoint of using redirects and forwards.

  • Do not use anything from URL parameters to make decisions for your application, and this includes URLs to different sites (redirects and forwards).
  • If you need to use redirects or forwards, if you need to pass this information, do it in a secure cookie.
  • Validate your URLs, just like you would validate any data. Ensure that the supplied value is valid, appropriate for the application, and that the user is authorized to access that URL.
  • The easiest strategy is to avoid using redirects and forwards altogether, if possible.

For further reading, visit the entry for this topic on the OWASP Top Ten 2013 project page.

Up next in the ‘Pushing Left, Like a Boss’ series: URL Parameters.

Pushing Left Like a Boss (23 Part Series)

1) Pushing Left, Like a Boss: Part 1 2) Pushing Left, Like a Boss! -- Part 2: Security Requirements 3 ... 21 3) Pushing Left, Like a Boss! -- Part 3: Secure Design 4) Pushing Left, Like a Boss: Part 4: Secure Coding 5) Pushing Left, Like a Boss — Part 5.1 — Input Validation, Output Encoding and Parameterized Queries 6) Pushing Left, Like a Boss — Part 5.2 — Use Safe Dependencies 7) Pushing Left, Like a Boss — Part 5.3 — Browser and Client-Side Hardening 8) Pushing Left, Like a Boss — Part 5.4 — Session Management 9) Pushing Left, Like a Boss — Part 5.5 — File Uploads 10) Pushing Left, Like a Boss — Part 5.6 — Redirects and Forwards 11) Pushing Left, Like a Boss — Part 5.7 — URL Parameters 12) Pushing Left, Like a Boss — Part 5.8 — Securing Your Cookies 13) Pushing Left, Like a Boss — Part 5.9 — Error Handling and Logging 14) Pushing Left, Like a Boss — Part 5.10 — Untrusted Data 15) Pushing Left, Like a Boss — Part 5.11 — Authorization (AuthZ) 16) Pushing Left, Like a Boss — Part 5.12 — Authentication (AuthN), Identity and Access Control 17) Pushing Left, Like a Boss — Part 5.13 — HTTPS only 18) Pushing Left, Like a Boss, Part 5.14 Secure Coding Summary 19) Pushing Left, Like a Boss - Part 6: Threat Modelling 20) Pushing Left, Like a Boss - Part 7: Code Review and Static Code Analysis 21) Pushing Left, Like a Boss - Part 8: Testing 22) Pushing Left, Like a Boss - Part 9: An AppSec Program 23) Pushing Left, Like a Boss - Part 10: Special AppSec Activities and Situations

Posted on by:

Microsoft Azure

Any language. Any platform.

Discussion

markdown guide