[Owasp-leaders] A query regarding Unvalidated redirect
Achim
achim at owasp.org
Thu Jan 4 14:34:28 UTC 2018
Hi Ankush,
please see inline below.
Ciao
Achim
On 04.01.2018 14:45, Ankush Mohanty wrote:
> Thank you for your quick response.
>
> Got your point and I am also acquainted with your scenario. But here the
> explanation in the OWASP site is
>
>
> 1. Also, spider the site to see if it generates any redirects (HTTP
> response codes 300-307, typically 302). Look at the parameters supplied
> prior to the redirect to see if they appear to be a target URL *or a
> piece of such a URL. If so, change the URL target and observe whether the
> site redirects to the new target.*
>
>
> Please clarify the underlined statement.
This means that the parameter in the request (URL or Body) is used --reflected--
in the Location header of the response.
So tampering is only meaningfull in the request, tampering the response is
mainly useless.
Does this clarify your question?
More information about the OWASP-Leaders
mailing list