Skip to main content
OutSystems

Protecting OutSystems apps from redirects / forwarders vulnerabilities

Attackers can trick users by taking advantage of unvalidated redirects or forwarders. In these cases victims trust your URL, but are redirected to a malicious site.

When applications redirect users to other pages using dynamic URLs in its parameters, it allows attackers to provide a valid URL with a redirect parameter to a malicious site.

The following example from OWASP documentation shows how an unvalidated redirect can be exploited to send a user to a malicious site.

How to do it with OutSystems Platform

To prevent attackers from using unvalidaded redirects or forwarders, the following actions are recommended:

Use case Actions

Use Dynamic URLs redirects from input parameters

To prevent attackers from using unvalidaded redirects or forwarders, avoid using dynamic URL external sites

If you absolutely must use them, then check the input URL against a whitelist.

More information

To learn how to protect your OutSystems apps against other common types of attacks, check how OutSystems Platfom helps you develop secure applications.