|
|
|
|
|
|
by OliverJones
2726 days ago
|
|
|
I just fixed one myself. It's not that hard to sanitize redirect parameters. One good way, if it fits your app, is to insist they be internal-only: "/app/profile" rather than external "https://evil.example.com/phish/login" I believe it's worth fixing these, not only because it gets penetration tests to shuddup, but because cybercreeps... |
|
|