Detalle CWE-601

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')
Bajo
Draft
2007-05-07
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Notificaciones para un CWE
Manténgase informado sobre cualquier cambio en un CWE específico.
Gestionar notificaciones

Nombre: URL Redirection to Untrusted Site ('Open Redirect')

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Informaciones generales

Detalles de contexto

Modos de introducción

Architecture and Design : OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.
Implementation

Plataformas aplicables

Lenguaje

Class: Not Language-Specific (Undetermined)

Tecnologías

Class: Web Based (Undetermined)
Name: Web Server (Undetermined)

Consecuencias comunes

Alcance Impacto Probabilidad
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity

Note: The user may be redirected to an untrusted page that contains malware which may then compromise the user's system. In some cases, an open redirect can also enable the immediate download of a file without the user's permission, because the redirection to an external site may lead to endpoints on those sites that automatically trigger a download action ("drive-by download" [REF-1478]). This will expose the user to extensive risk. The user's interaction with the web server may also be compromised if the malware conducts keylogging or other attacks that steal credentials, personally identifiable information (PII), or other important data.
Access Control
Confidentiality
Other		Bypass Protection Mechanism, Gain Privileges or Assume Identity, Other

Note: By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam. The user may be subjected to phishing attacks by being redirected to an untrusted page. The phishing attack may point to an attacker controlled web page that appears to be a trusted web site. The phishers may then steal the user's credentials and then use these credentials to access the legitimate web site. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.

Ejemplos observados

Referencias Descripción

CVE-2005-4206

URL parameter loads the URL into a frame and causes it to appear to be part of a valid page.

CVE-2008-2951

An open redirect vulnerability in the search script in the software allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL as a parameter to the proper function.

CVE-2008-2052

Open redirect vulnerability in the software allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the proper parameter.

CVE-2020-11053

Chain: Go-based Oauth2 reverse proxy can send the authenticated user to another site at the end of the authentication flow. A redirect URL with HTML-encoded whitespace characters can bypass the validation (CWE-1289) to redirect to a malicious site (CWE-601)

Mitigaciones potenciales

Phases : Implementation
Phases : Architecture and Design
Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page.
Phases : Architecture and Design
Phases : Architecture and Design
Ensure that no externally-supplied requests are honored by requiring that all redirect requests include a unique nonce generated by the application [REF-483]. Be sure that the nonce is not predictable (CWE-330).
Phases : Architecture and Design // Implementation
Phases : Operation
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

Métodos de detección

Manual Static Analysis

Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.
Efectividad : High

Automated Dynamic Analysis

Automated black box tools that supply URLs to every input may be able to spot Location header modifications, but test case coverage is a factor, and custom redirects may not be detected.

Automated Static Analysis

Automated static analysis tools may not be able to determine whether input influences the beginning of a URL, which is important for reducing false positives.

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Efectividad : High

Automated Static Analysis - Binary or Bytecode

Efectividad : High

Dynamic Analysis with Automated Results Interpretation

Efectividad : High

Dynamic Analysis with Manual Results Interpretation

Efectividad : High

Manual Static Analysis - Source Code

Efectividad : High

Automated Static Analysis - Source Code

Efectividad : High

Architecture or Design Review

Efectividad : High

Notas de mapeo de vulnerabilidades

Justificación : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comentario : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Patrones de ataque relacionados

CAPEC-ID Nombre del patrón de ataque
CAPEC-178 Cross-Site Flashing
An attacker is able to trick the victim into executing a Flash document that passes commands or calls to a Flash player browser plugin, allowing the attacker to exploit native Flash functionality in the client browser. This attack pattern occurs where an attacker can provide a crafted link to a Flash document (SWF file) which, when followed, will cause additional malicious instructions to be executed. The attacker does not need to serve or control the Flash document. The attack takes advantage of the fact that Flash files can reference external URLs. If variables that serve as URLs that the Flash application references can be controlled through parameters, then by creating a link that includes values for those parameters, an attacker can cause arbitrary content to be referenced and possibly executed by the targeted Flash application.

Notas

Whether this issue poses a vulnerability will be subject to the intended behavior of the application. For example, a search engine might intentionally provide redirects to arbitrary URLs.

Referencias

REF-483

Exploitable Redirects on the Web: Identification, Prevalence, and Defense
Craig A. Shue, Andrew J. Kalafut, Minaxi Gupta.
https://www.cprogramming.com/tutorial/exceptions.html

REF-484

Open redirect vulnerabilities: definition and prevention
Russ McRee.
https://img2.helpnetsecurity.com/dl/insecure/INSECURE-Mag-17.pdf

REF-485

Top 25 Series - Rank 23 - Open Redirect
Jason Lam.
https://www.sans.org/blog/top-25-series-rank-23-open-redirect

REF-45

OWASP Enterprise Security API (ESAPI) Project
OWASP.
https://owasp.org/www-project-enterprise-security-api/

REF-1478

Drive-by download
Wikipedia.
https://en.wikipedia.org/wiki/Drive-by_download

REF-1479

State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation
Gregory Larsen, E. Kenneth Hong Fong, David A. Wheeler, Rama S. Moorthy.
https://www.ida.org/-/media/feature/publications/s/st/stateoftheart-resources-soar-for-software-vulnerability-detection-test-and-evaluation/p-5061.ashx

REF-1481

D3FEND: Application Layer Firewall
D3FEND.
https://d3fend.mitre.org/dao/artifact/d3f:ApplicationLayerFirewall/

Envío

Nombre Organización Fecha Fecha de lanzamiento Version
Anonymous Tool Vendor (under NDA) 2007-05-07 +00:00 2007-05-07 +00:00 Draft 6

Modificaciones

Nombre Organización Fecha Comentario
Eric Dalci Cigital 2008-07-01 +00:00 updated Potential_Mitigations, Time_of_Introduction
CWE Content Team MITRE 2008-09-08 +00:00 updated Alternate_Terms, Background_Details, Description, Detection_Factors, Likelihood_of_Exploit, Name, Relationships, Observed_Example, Taxonomy_Mappings
CWE Content Team MITRE 2008-10-03 +00:00 updated References and Observed_Examples
CWE Content Team MITRE 2008-10-14 +00:00 updated Alternate_Terms, Observed_Examples, References
CWE Content Team MITRE 2009-03-10 +00:00 updated Relationships
CWE Content Team MITRE 2009-05-27 +00:00 updated Name
CWE Content Team MITRE 2009-12-28 +00:00 updated Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, Potential_Mitigations
CWE Content Team MITRE 2010-02-16 +00:00 updated Applicable_Platforms, Common_Consequences, Detection_Factors, Potential_Mitigations, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2010-04-05 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2010-06-21 +00:00 updated Common_Consequences, Potential_Mitigations, References, Relationships
CWE Content Team MITRE 2010-09-27 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2011-06-27 +00:00 updated Relationships
CWE Content Team MITRE 2011-09-13 +00:00 updated Potential_Mitigations, References
CWE Content Team MITRE 2012-05-11 +00:00 updated Relationships
CWE Content Team MITRE 2012-10-30 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2013-07-17 +00:00 updated References, Relationships
CWE Content Team MITRE 2014-07-30 +00:00 updated Detection_Factors, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2015-12-07 +00:00 updated Relationships
CWE Content Team MITRE 2017-11-08 +00:00 updated Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2019-01-03 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2019-06-20 +00:00 updated Relationships, Type
CWE Content Team MITRE 2020-02-24 +00:00 updated Applicable_Platforms, Potential_Mitigations, Relationships
CWE Content Team MITRE 2020-06-25 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2021-10-28 +00:00 updated Relationships
CWE Content Team MITRE 2022-04-28 +00:00 updated Relationships
CWE Content Team MITRE 2022-10-13 +00:00 updated Observed_Examples
CWE Content Team MITRE 2023-01-31 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2023-04-27 +00:00 updated Description, Detection_Factors, References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2024-02-29 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2024-11-19 +00:00 updated Alternate_Terms, Common_Consequences, Description, Diagram, Other_Notes
CWE Content Team MITRE 2025-09-09 +00:00 updated Alternate_Terms, Common_Consequences, Detection_Factors, Potential_Mitigations, References
CWE Content Team MITRE 2025-12-11 +00:00 updated Applicable_Platforms, Relationships, Weakness_Ordinalities
La información presentada en CVE Find proviene de varias fuentes de referencia cuidadosamente seleccionadas. Los datos CVE son proporcionados por MITRE Corporation y la Base de Datos Nacional de Vulnerabilidades (NVD). El catálogo de Vulnerabilidades Explotadas Conocidas (KEV) proviene de la Agencia de Seguridad de Infraestructura y Ciberseguridad (CISA), mientras que las puntuaciones EPSS provienen de FIRST.org. Además, los datos sobre debilidades de software (CWE) y patrones de ataque comunes (CAPEC) son mantenidos por MITRE Corporation, y la información sobre configuraciones de hardware y software (CPE) es proporcionada por la NVD.