SYM_JSTS_0079 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki

URL Redirection to Untrusted Site ('Open Redirect')

Property Value
Language javascript
Severity low
CWE CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
OWASP A01:2021 - Broken Access Control
Confidence Level Low
Impact Level Medium
Likelihood Level Low

Description

The application uses user-controlled input to set the destination of window redirection (e.g., via location.href or location.replace) without validating the input. This allows attackers to redirect users to malicious sites or inject JavaScript code.

Impact

If exploited, attackers could trick users into visiting phishing or malicious sites, leading to credential theft or malware installation. In some cases, they could inject JavaScript via specially crafted links, potentially enabling Cross-Site Scripting (XSS) attacks and compromising user data or site integrity.