Hi!
Right now (and in 2021 too) CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') is mapped to A01:2025 Broken Access Control. It seems to me that this is an error. The OWASP website states the following:
Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business function outside the user's limits.
An open redirect vulnerability does not allow users to act outside of their intended permissions. Generally, the user is routed to a completely different site and the first site's permissions do not apply.
I think that CWE-601 is better categorized under A05:2025 Injection.
Thanks!
Hi!
Right now (and in 2021 too)
CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')is mapped toA01:2025 Broken Access Control. It seems to me that this is an error. The OWASP website states the following:An open redirect vulnerability does not allow users to act outside of their intended permissions. Generally, the user is routed to a completely different site and the first site's permissions do not apply.
I think that CWE-601 is better categorized under
A05:2025 Injection.Thanks!