3.13 Unvalidated Redirects
An unvalidated redirect occurs when a user follows a link that redirects them to another page, but where the redirect target can be modified by an attacker (e.g. when it is passed as a URL parameter). In this lesson, I'll show you a simple defense for unvalidated redirects. It involves whitelisting certain redirect targets and making sure that sanitation is performed on the redirect target URL to strip out relative paths and null-bytes.