Salesforce B2C Commerce 20.10 > B2C Commerce Security Guide > Security Best Practices for Developers

Open Redirect Attacks

When a web application trusts user input as a redirect destination, an attacker can use that input to redirect users to a website that they control and steal their information.

How Open Redirect Attacks Occur

An attack works like this.

  1. The attacker tricks the customer into visiting a seemingly trustworthy link with a redirect parameter, for example, myshop.com/?next=evil.com.
  2. The myshop.com site returns the login page to the user.
  3. The user enters the username and password for myshop.com.
  4. The user logs in to sometrustedshop.com.
  5. The browser forwards and redirects the user to evil.com.
  6. The attacker steals the user’s credentials.

How to Mitigate Against an Open Redirect Attack

Consider this vulnerability when you use the ISML template <isredirect> element, or when providing user-entered data directly or indirectly to dw.system.Response.redirect.

Follow these best practices.

X Privacy Update: We use cookies to make interactions with our websites and services easy and meaningful, to better understand how they are used. By continuing to use this site you are giving us your consent to do this. Privacy Policy.