From a83bc196e3b891ffa7c82cc5eb3ad6c4ce6d67f3 Mon Sep 17 00:00:00 2001
From: Sander Hautvast <shautvast@gmail.com>
Date: Mon, 5 Feb 2024 11:54:41 +0100
Subject: [PATCH] Update sectraining.md

---
 sectraining.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/sectraining.md b/sectraining.md
index 7a36e36..fbb6ca2 100644
--- a/sectraining.md
+++ b/sectraining.md
@@ -113,3 +113,15 @@ public void doAction(HttpServletRequest request, HttpServletResponse response) {
 	// ...
 }
 ```
+
+### Open Redirect
+
+#### Java Prevention
+Unless the development is aided by third-party libraries, developers must implement their own solution to determine whether the user-controlled string represents a local path or not. If the list of permitted URLs for redirection is known, implement an allow list of such URLs.
+
+Otherwise, an easy ad hoc solution could be the following:
+```java
+private static boolean isLocal(String path) {
+    return path.startsWith("/") && !path.startsWith("//");
+}
+```