[Owasp-leaders] A query regarding Unvalidated redirect

Achim achim at owasp.org
Thu Jan 4 14:34:28 UTC 2018


Hi Ankush,

please see inline below.

Ciao
Achim
On 04.01.2018 14:45, Ankush Mohanty wrote:
> Thank you for your quick response.
> 
> Got your point and I am also acquainted with your scenario. But here the
> explanation in the OWASP site is
> 
> 
>    1. Also, spider the site to see if it generates any redirects (HTTP
>    response codes 300-307, typically 302). Look at the parameters supplied
>    prior to the redirect to see if they appear to be a target URL *or a
>    piece of such a URL. If so, change the URL target and observe whether the
>    site redirects to the new target.*
> 
> 
> Please clarify the underlined statement.

This means that the parameter in the request (URL or Body) is used --reflected--
in the Location header of the response.

So tampering is only meaningfull in the request, tampering the response is
mainly useless.

Does this clarify your question?



More information about the OWASP-Leaders mailing list