How to fix open redirect issue in java

java security esapi
Neeraj Sharma picture Neeraj Sharma · Jul 8, 2017 · Viewed 9.7k times · Source

Currently my java code uses 

response.sendRedirect(request.getRequestUrl().toString());

Which is an open redirect.

I have to fix this but I can not white list it since there are too many URL's are associated with it.

I have tried the following solution with ESAPI but it wont work for me.

ESAPI.httpUtilities().setCurrentHTTP(req, resp);
ESAPI.httpUtilities().sendRedirect(location);
ESAPI.httpUtilities().clearCurrent();

I am new to ESAPI.

Answer

avgvstvs picture avgvstvs · Jul 8, 2017

[Disclaimer]

I'm project co-lead on ESAPI.

I have to fix this but I can not white list it since there are too many URL's are associated with it.

Essentially, "I have to fix the problem, but I am restricting myself from the easiest solution."

Here are the best practices enumerated by @jww:

  1. Simply avoid using redirects and forwards.

  2. If used, do not allow the url as user input for the destination. This can usually be done. In this case, you should have a method to validate URL.

  3. If user input can’t be avoided, ensure that the supplied value is valid, appropriate for the application, and is authorized for the user.

  4. It is recommended that any such destination input be mapped to a value, rather than the actual URL or portion of the URL, and that server side code translate this value to the target URL.

  5. Sanitize input by creating a list of trusted URL's (lists of hosts or a regex).

  6. Force all redirects to first go through a page notifying users that they are going off of your site, and have them click a link to confirm.

These are literally all the solutions available to you. Some web frameworks make this easy for you, like Spring MVC with Spring Security.

These lines:

 ESAPI.httpUtilities().setCurrentHTTP(req, resp);
 ESAPI.httpUtilities().sendRedirect(location);
 ESAPI.httpUtilities().clearCurrent();

Don't work because you have to inspect the user input before performing the redirect.

Related questions

Trying to Use ESAPI But getting Error

I am trying to use ESAPI.jar for providing security to my web application.Basically I have just started using ESAPI.jar. But problem is I am not able to run even a simple program using ESAPI. The small code …

Read More
How to fix the HTTP Response splitting vulnerability with ESAPI

after a recent findbugs (FB) run it complains about a: Security - HTTP Response splitting vulnerability The following code triggers it: String referrer = req.getParameter("referrer"); if (referrer != null) { launchURL += "&referrer="+(referrer); } resp.sendRedirect(launchURL); Basically the 'referrer' http …

Read More
XSS filter to remove all scripts

I am implementing an XSS filter for my web application and also using the ESAPI encoder to sanitise the input. The patterns I am using are as given below, // Script fragments Pattern.compile("<script>(.*?)</script>", Pattern.…

Read More