Protecting OutSystems apps from redirects / forwarders vulnerabilities
Attackers can trick users by taking advantage of unvalidated redirects or forwarders. In these cases victims trust your URL, but are redirected to a malicious site.
When applications redirect users to other pages using dynamic URLs in its parameters, it allows attackers to provide a valid URL with a redirect parameter to a malicious site.
The following example from OWASP documentation shows how an unvalidated redirect can be exploited to send a user to a malicious site.
How to do it with OutSystems Platform
To prevent attackers from using unvalidaded redirects or forwarders, the following actions are recommended:
| Use case | Actions |
|---|---|
| Use Dynamic URLs redirects from input parameters | To prevent attackers from using unvalidaded redirects or forwarders, avoid using dynamic URL external sites If you absolutely must use them, then check the input URL against a whitelist. |
More information
To learn how to protect your OutSystems apps against other common types of attacks, check how OutSystems Platfom helps you develop secure applications.