---
title: URL Redirects Must Be In Allow List
impact: MEDIUM
impactDescription: prevents open redirect vulnerabilities used in phishing attacks
tags: redirect, url, allow-list, validation, security, kotlin
---

## URL Redirects Must Be In Allow List

Open redirect vulnerabilities allow attackers to use your trusted domain to redirect users to malicious sites. This is commonly used in phishing campaigns to make malicious URLs look legitimate.

**Incorrect (unvalidated redirect URL):**

```kotlin
// Open redirect vulnerability
@GetMapping("/redirect")
fun redirect(request: HttpServletRequest, response: HttpServletResponse) {
    val url = request.getParameter("url")
    response.sendRedirect(url) // Attacker: ?url=https://evil.com
}

// Partial validation (bypassable)
if (url.contains("sun-asterisk.vn")) {
    response.sendRedirect(url) // Bypass: https://attacker.com?sun-asterisk.vn
}
```

**Correct (allow list or relative path validation):**

```kotlin
import java.net.URI

private val ALLOWED_HOSTS = setOf("sun-asterisk.vn", "app.sun-asterisk.vn")

@GetMapping("/redirect")
fun safeRedirect(@RequestParam url: String, response: HttpServletResponse) {
    try {
        val uri = URI(url)
        val host = uri.host

        // 1. Validate against allow list (for absolute URLs)
        if (host != null && !ALLOWED_HOSTS.contains(host)) {
            throw SecurityException("Host not allowed")
        }

        // 2. Or enforce relative paths only (safe for internal navigation)
        if (host == null) {
            if (!url.startsWith("/") || url.startsWith("//")) {
                throw SecurityException("Invalid relative path")
            }
        }

        response.sendRedirect(url)
    } catch (e: Exception) {
        response.sendError(400, "Invalid URL")
    }
}
```

**Security Best Practices:**
- Prefer relative URLs over absolute URLs for internal redirects.
- If absolute URLs are required, strictly validate the `host` against an allow list.
- Reject URLs that use the `//` shorthand (protocol-relative) to avoid cross-domain redirects.
- Display a transition page for redirects to external unlisted sites.

**Tools:** SonarQube (S5144, S1134), Semgrep, Manual Security Audit
