- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Tue, 07 Feb 2012 18:21:54 +0100
- To: Chris Weber <chris@lookout.net>
- CC: Martin Thomson <martin.thomson@gmail.com>, Anne van Kesteren <annevk@opera.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 2012-02-07 18:10, Chris Weber wrote: > On 2/7/2012 8:38 AM, Martin Thomson wrote: >> I don't see the problem. So I ask to modify X, but then X points me to >> Y, so I either automatically modify Y, or require confirmation before >> doing so. There isn't a security problem. X has the information and >> could forward to Y itself. > > Within the security community the issue has been termed "Open Redirect" > and has been well documented here > http://cwe.mitre.org/data/definitions/601.html and here > https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards > as well as other places. It's not a vulnerability by itself but has > ... Clarifying: "Open" means that the target of the redirect actually depends on something the request contains, such as a query parameter, right?
Received on Tuesday, 7 February 2012 17:25:14 UTC