[VIM] Open redirects - yes or no?
security curmudgeon
jericho at attrition.org
Thu May 1 22:51:51 UTC 2008
: > OSVDB typically adds these.
:
: I would prefer we didn't.
: > redirects should go to a logout/splash page indicating the user/customer is
: > leaving the legitimate site. If that is in place, we don't ding the client
: > at work, and we don't add it to OSVDB.
:
: A subjective, case-by-case judgment. That's why I would prefer we
: didn't count them.
How is that subjective?
Either the app allows one click redirection to arbitrary sites w/o
warning, or it gives you a warning that you are leaving the site and
going to X in some fashion (logout page, leaving site splash page).
More information about the VIM
mailing list