URFDS: Systematic discovery of Unvalidated Redirects and Forwards in web applications

URL redirection is necessary in web applications. Well-designed redirection makes better user experience. However, if used improperly, it could give rise to attacks such as phishing. These improperly used redirections are called Unvalidated Redirects and Forwards (URF). This paper prescribes a mechanism to systemically discover URF vulnerabilities in web applications. The prototype implementation, that we call Unvalidated Redirects and Forwards Detection System (URFDS), uses a black-box scanning technique to modify URLs and analyse the generated output to identify URF. In order to show the feasible of our approach, we tested 142,522,691 unique links and found a great number of vulnerabilities in top websites and popular applications that were overlooked by previous works.