-
secutils
Secutils.dev is an open-source, versatile, yet simple security toolbox for engineers and researchers (by secutils-dev)
-
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
If we blindly redirect the user to whatever URL is embedded in the next query string parameter, we run the risk of becoming an easy phishing target. Imagine someone shares the following link with you: https://secutils.dev/signin?next=%2F%2Fws-secutils.dev%2Fws%2Fweb_scraping. The main domain looks legit, and it’s not easy to notice that the next parameter includes a URL to a completely different website - https://ws-secutils.dev/ws/web_scraping. Malicious actors can exploit various tricks and browser quirks to conceal the real destination in the next parameter. For example, here I used a URL-encoded protocol-relative URL (// instead of https://).
The example above shows that you absolutely have to validate all URLs you redirect users to if there is a chance they can be manipulated by third parties. In the Secutils.dev Web UI, specifically, I rely on the native URL class to check if the URL has the proper origin before redirecting the user. Also, check out "Preventing Unvalidated Redirects and Forwards" from OWASP for more tips.
Related posts
-
Explore web applications through their content security policy (CSP)
-
Q4 2023 iteration: tracking arbitrary web content, user-specific webhook subdomains, inherited CSP, and more
-
Announcing 1.0.0-alpha.3 release: more powerful resource tracking, notifications and content sharing
-
Building a scheduler for a Rust application
-
A plan for Q3 2023 iteration