OWASP, which is a nonprofit community that helps others develop trustworthy web applications, has highlighted unvalidated redirects and forwards as a significant issue in modern-day web applications. "This issue is making its debut in the top 10," the organization said. "The evidence shows that this relatively unknown issue is widespread and can cause significant damage".
Applications often redirect users to cover pages, or use internal forwards in a similar manner. The target page is sometimes specified in an unvalidated parameter by the web application, which allows attackers to choose the destination page. In this exploit, an attacker links to unvalidated redirects and tricks victims into clicking the link.
Because the doctored link points to a legitimate website, victims are more likely to click on it, even though it includes a redirect built into the URL that forwards the victim to a different side of the attacker's choice. "Such redirects may attempt to install malware or trick victims into disclosing passwords or other sensitive information. Unsafe forwards may allow access control bypass," OWASP said in its top 10 list.
Georg Hess, CEO and co-founder of security firm Art of Defence, said that the addition of this web application vulnerability had significant implications for organizations that needed to be compliant with the PCI-DSS standard for credit card protection. "Unvalidated redirects and forwards are the most important from Art of Defence’s view, as this is not a commonly understood issue," he said. "Protecting and validating all parameters used in URLs is key for meeting this requirement, and a good web application firewall should cover you here." The use of a web application firewall is already mandated by the PCI-DSS specification.
The other change is the reintroduction of security misconfiguration as a risk. Last included in the 2004 version of the OWASP top 10, it was dropped in 2007 because he wasn't considered a software issue, OWASP said. "However, from an organizational risk and prevalence perspective, it clearly merits reinclusion in the top 10, so now it's back".
The organization removed malicious file execution from the list, largely due to the historical prevalence of this vulnerability in PHP applications. PHP is now more secure by default, which has made this problem less common, OWASP noted. Information leakage and improper error handling has also been removed. "This issue is extremely prevalent, but the impact of disclosing stack trace and error message information is typically minimal," it pointed out, adding that in any case, this vulnerability falls largely under the reintroduced security misconfiguration banner.