Unvalidated Redirect or Forward badge Unvalidated Redirect or Forward


Unvalidated redirect vulnerabilities could allow an attacker to redirect a user to an untrusted site using functionality in a trusted site. This could lend credibility to various social engineering attacks that may try to trick a user to follow a link to a legitimate GitHub page, only to have that page redirect them to an untrusted site.

To prevent this vulnerability within GitHub, all user-controlled redirects are funneled though validation logic to restrict the locations that users can be forwarded to.

More about unvalidated redirect vulnerabilities from OWASP’s Top 10:

Applications frequently redirect users to other pages, or use internal forwards in a similar manner. Sometimes the target page is specified in an unvalidated parameter, allowing attackers to choose the destination page. Detecting unchecked redirects is easy. Look for redirects where you can set the full URL. Unchecked forwards are harder, because they target internal pages.