In a previous post ”Developer PCI Check up”, I provided a high-level overview of the OWASP (Open Web Application Security Project) Top 10 web security vulnerabilities. Ensuring that these security vulnerabilities don’t exist in a web application is a critical part of being PCI compliant. This is the first of ten posts going into more detail on each of the vulnerabilities.
Number 10 on the list is Unvalidated Redirects and Forwards. Quite often, modern web applications use HTTP redirects and forwards to control the flow of their application. A vulnerable system can be used to redirect users to malicious sites or to download malicious code. A system may be vulnerable if it uses query string parameters passed in the URL to redirect their application. Here is an example of a URL that is vulnerable: