Fluid Attacks Database

Authentication mechanism absence or evasion - Redirect

Description

An attacker can gain access to the application by knowing a valid username by changing the redirect with which the server responds.

Impact

- Bypass the authentication process by changing the page redirection and thus gain access to the applications functionality. - Know a valid user. - Change the redirect and access the application.

Recommendation

Put in place for every resource with business-critical functionality a strong authentication process and ensure that every user attempting to access it is logged in.

Threat

Anonymous attacker from the Internet.

Expected Remediation Time

⏱️ 60 minutes.

Requirements

227 - Display access notification 228 - Authenticate using standard protocols 229 - Request access credentials 231 - Implement a biometric verification component 235 - Define credential interface 264 - Request authentication 323 - Exclude unverifiable files

Fixes

Csharp Dart Elixir Go Java Php Python Scala Swift Typescript

Score

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

Attack vector

Attack complexity

Attack requirements

Privileges required

User interaction

Confidentiality (VC)

Integrity (VI)

Availability (VA)

Confidentiality (SC)

Integrity (SI)

Availability (SA)

Threat 4.0

Exploit maturity

Vector string

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N