Forum Discussion
Dmitry
Feb 04, 2020Altocumulus
The auditor argues that this implementation does not validate the input and can allow an attacker to perform an invalid redirection to a different site
Its so wiered. So the security guy said: if I write the wrong URL - i will go to the wrong site? Seriously?
Ask him - who does this affect? Simple question. It doesnt affect your site or your valid client. So its not a problem.
If this is something like official attestation and you have no choise you can try something like this:
when HTTP_REQUEST {
if { [HTTP:uri] starts_with "/" } {
HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]
} else {
HTTP::redirect https://[getfield [HTTP::host] ":" 1]/[HTTP::uri]
}
}
But if I were you - I would say: you wrong, go away 😁