[Owasp-leaders] A query regarding Unvalidated redirect

Achim achim at owasp.org
Thu Jan 4 14:34:28 UTC 2018

Hi Ankush,

please see inline below.

On 04.01.2018 14:45, Ankush Mohanty wrote:
> Thank you for your quick response.
> Got your point and I am also acquainted with your scenario. But here the
> explanation in the OWASP site is
>    1. Also, spider the site to see if it generates any redirects (HTTP
>    response codes 300-307, typically 302). Look at the parameters supplied
>    prior to the redirect to see if they appear to be a target URL *or a
>    piece of such a URL. If so, change the URL target and observe whether the
>    site redirects to the new target.*
> Please clarify the underlined statement.

This means that the parameter in the request (URL or Body) is used --reflected--
in the Location header of the response.

So tampering is only meaningfull in the request, tampering the response is
mainly useless.

Does this clarify your question?

More information about the OWASP-Leaders mailing list