XSS, encoding a return url
Here is the vulnerable code
<?php header("Location: ".$_POST['target']); ?>
What is the appropriate way to make sure nasty things that come in to target are cleaned?
First up, this is a vulnerability
OWASP categorizes it as "Unvalidated Redirects and Forwards". See OWASP's guide for more information.
A few interesting attacks are possible. See this thread on sla.ckers.org for ideas on how this can be abused.
How do you protect yourself?
- Verify the scheme of the URL. You usually only want to support http and https. Abort the request for any other scheme.
- Parse the URL, and extract the domain. Only allow redirects to known list of domains. For other domains, abort the request.
That's about it.