Lack of Security Speed Bump Page
Lack of Security Speed Bump Page
Overview of the Vulnerability
Security speed bumps are prompts used in applications that inform the user that they are being redirected to a source denoted by another user. A lack of security speed bumps can allow an attacker to lure users to another website for phishing and information gathering campaigns by spamming the comment sections or forum posts within the application with malicious links.
Business Impact
A lack of a security speed bump can result in reputational damage for the business as customers' trust is negatively impacted by an attacker sending them to a phishing site to extract login credentials, or coercing them to send a financial transaction.
Steps to Reproduce
Using a browser, navigate to: {{URL}}
{{action}} and notice that a security speed bump is not used in the application
Proof of Concept (PoC)
The screenshot below demonstrates the lack of a security speed bump:
{{screenshot}}
Recommendations(s)
It is recommended best practice that all redirects go through an intermediate disclaimer page that notifies the user that they are navigating away from the website.
For more information, see Open Web Application Security Project (OWASP): https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
Last updated