Web applications may redirect users to other pages and websites. Attackers can use redirects to send users to malicious sites or use forwards to access unauthorized pages. If possible, try to avoid redirects and forwards. If your application uses redirects and forwards, testing of them should include:
- A review of the code should be conducted for all uses of redirect or forward. For each use, identify if the target URL is included in any parameter values. If so, verify that the parameter(s) are validated to contain only an allowed destination or element of a destination.
- Someone on the team should spider the site to see if it generates any redirects (HTTP response codes 300-307, typically 302). Look at the parameters supplied prior to the redirect to see if they appear to be a target URL or a portion of such a URL. If so, change the URL target and observe whether the site redirects to the new target.
- All parameters in the code should be analyzed to see if they look like part of a redirect or forward URL so that those that are can be tested.
You should consider forcing all redirects to go through a page that notifies users that they are about to leave your site, with a link users can click on to confirm.