MINOR Prevent unsafe redirects

README.md

@@ -9,7 +9,7 @@
 <br/>
 
 <div align="center">
-  <img src="https://img.shields.io/badge/⚙%20Item%20count%20-%2073%20Best%20practices-blue.svg" alt="73 items"> <img src="https://img.shields.io/badge/%F0%9F%93%85%20Last%20update%20-%20September%209%202018-green.svg" alt="Last update: September 9th, 2018"> <img src="https://img.shields.io/badge/%E2%9C%94%20Updated%20For%20Version%20-%20Node%208.11.3%20LTS-brightgreen.svg" alt="Updated for Node 8.11.3 LTS">
+  <img src="https://img.shields.io/badge/⚙%20Item%20count%20-%2074%20Best%20practices-blue.svg" alt="74 items"> <img src="https://img.shields.io/badge/%F0%9F%93%85%20Last%20update%20-%20October%207%202018-green.svg" alt="Last update: October 7th, 2018"> <img src="https://img.shields.io/badge/%E2%9C%94%20Updated%20For%20Version%20-%20Node%208.11.3%20LTS-brightgreen.svg" alt="Updated for Node 8.11.3 LTS">
 </div>
 
 <br/>
@@ -925,6 +925,16 @@ All statements above will return false if used with `===`
 
 **Otherwise:** This is just an educated guess: given many Node.js applications, if we try passing an empty JSON body to all POST requests - a handful of applications will crash. At that point, we can just repeat sending the same request to take down the applications with ease
 
+<br/><br/>
+
+## ![✔] 6.24. Prevent unsafe redirects
+
+**TL;DR:** Redirects that do not validate user input can enable attackers to launch phishing scams, steal user credentials, and perform other malicious actions.
+
+**Otherwise:** If an attacker discovers that you are not validating external, user-supplied input, they may exploit this vulnerability by posting specially-crafted links on forums, social media, and other public places to get users to click it.
+
+🔗 [**Read More: Prevent unsafe redirects**](/sections/security/saferedirects.md)
+
 <br/><br/><br/>
 
 <p align="right"><a href="#table-of-contents">⬆ Return to top</a></p>

sections/security/saferedirects.md

@@ -0,0 +1,58 @@
+# Prevent unsafe redirects
+
+### One Paragraph Explainer
+
+When redirects are implemented in Node.js and/or Express, it's important to perform input validation on the server-side.
+If an attacker discovers that you are not validating external, user-supplied input, they may exploit this vulnerability by posting specially-crafted links on forums, social media, and other public places to get users to click it.
+
+Example: Unsafe express redirect using user input
+```javascript
+const express = require('express');
+const app = express();
+
+app.get('/login', function (req, res, next) {
+
+  if (req.session.isAuthenticated()) {
+    res.redirect(req.query.url);
+  }
+
+}); 
+```
+
+The suggested fix to avoid unsafe redirects is to avoid relying on user input. If user input must be used, safe redirect whitelists can be used to avoid exposing the vulnerability.
+
+Example: Safe redirect whitelist
+```javascript
+const whitelist = { 
+  'https://google.com': 1 
+};
+
+function getValidRedirect(url) { 
+    // check if the url starts with a single slash 
+  if (url.match(/^\/(?!\/)/)) { 
+    // Prepend our domain to make sure 
+    return 'https://example.com' + url; 
+  } 
+    // Otherwise check against a whitelist
+  return whitelist[url] ? url : '/'; 
+}
+
+app.get('/login', function (req, res, next) {
+
+  if (req.session.isAuthenticated()) {
+    res.redirect(getValidRedirect(req.query.url));
+  }
+
+}); 
+```
+
+
+### What other bloggers say
+
+From the blog by [NodeSwat](https://blog.nodeswat.com/unvalidated-redirects-b0a2885720db):
+> Fortunately the mitigation methods for this vulnerability are quite straightforward — don’t use unvalidated user input as the basis for redirect. 
+
+From the blog by [Hailstone](https://blog.hailstone.io/how-to-prevent-unsafe-redirects-in-node-js/)
+> However, if the server-side redirect logic does not validate data entering the url parameter, your users may end up on a site that looks exactly like yours (examp1e.com), but ultimately serves the needs of criminal hackers!
+
+