Prevent unsafe redirects

One Paragraph Explainer

When redirects are implemented in Node.js and/or Express, it’s important to perform input validation on the server-side. If an attacker discovers that you are not validating external, user-supplied input, they may exploit this vulnerability by posting specially-crafted links on forums, social media, and other public places to get users to click it.

Example: Unsafe express redirect using user input

  1. const express = require('express');
  2. const app = express();
  4. app.get('/login', (req, res, next) => {
  6.   if (req.session.isAuthenticated()) {
  7.     res.redirect(req.query.url);
  8.   }
  10. });

The suggested fix to avoid unsafe redirects is to avoid relying on user input. If user input must be used, safe redirect whitelists can be used to avoid exposing the vulnerability.

Example: Safe redirect whitelist

  1. const whitelist = { 
  2.   'https://google.com': 1 
  3. };
  5. function getValidRedirect(url) { 
  6.     // check if the url starts with a single slash 
  7.   if (url.match(/^\/(?!\/)/)) { 
  8.     // Prepend our domain to make sure 
  9.     return 'https://example.com' + url; 
  10.   } 
  11.     // Otherwise check against a whitelist
  12.   return whitelist[url] ? url : '/'; 
  13. }
  15. app.get('/login', (req, res, next) => {
  17.   if (req.session.isAuthenticated()) {
  18.     res.redirect(getValidRedirect(req.query.url));
  19.   }
  21. });

What other bloggers say

From the blog by NodeSwat:

Fortunately the mitigation methods for this vulnerability are quite straightforward — don’t use unvalidated user input as the basis for redirect.

From the blog by Hailstone

However, if the server-side redirect logic does not validate data entering the url parameter, your users may end up on a site that looks exactly like yours (examp1e.com), but ultimately serves the needs of criminal hackers!