Link Search Menu Expand Document

Open Redirect in Java

Prevention

Unless the development is aided by third-party libraries, developers must implement their own solution to determine whether the user-controlled string represents a local path or not. If the list of permitted URLs for redirection is known, implement an allow list of such URLs.

Otherwise, an easy ad hoc solution could be the following:

private static boolean isLocal(String path) {
    return path.startsWith("/") && !path.startsWith("//");
}

It is generally safer to just allow absolute paths, making sure to disallow scheme-less URLs which can reach out to external websites.

References

OWASP - Unvalidated Redirect and Forwards MITRE - CWE 601