[Owasp-leaders] Unvalidated Redirects and Forwards Cheat Sheet

Jeff Williams jeff.williams at owasp.org
Thu Mar 21 02:10:30 UTC 2013


Nice work!

would it be possible to discuss all the ways to send a redirect (so people can actually find these flaws)? Usually frameworks have a shortcut, but can also set a custom location header.  They can also use meta tag or JavaScript.  Is DOM-based open redirect a thing?

Also, why does the unvalidated forward part of this use a redirect example?  I'd like to see some more discussion of the access control aspects of forwards.

Thanks for putting this together.

--Jeff


On Mar 20, 2013, at 7:54 PM, Johanna Curiel <johanna.curiel at owasp.org> wrote:

> And Big thanks to Jim for his superb editing skills ;-)
> 
> 
> 
> 
> Op 20 mrt. 2013 om 11:31 heeft Jim Manico <jim.manico at owasp.org> het volgende geschreven:
> 
>> Leaders,
>> 
>> The Unvalidated Redirects and Forwards Cheat Sheet is now live.
>> 
>> https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
>> 
>> Big thanks to Susanna Bezold and Johanna Curiel for their work on this cheat sheet.
>> 
>> As always, comments are appreciated.
>> 
>> Keep on cheating,
>> 
>> Jim Manico
>> OWASP Volunteer
>> @Manicode
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list