sander/notes
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update sectraining.md

Browse source
This commit is contained in:
Sander Hautvast 2024-02-05 11:54:41 +01:00 committed by GitHub
parent 84200f0bcf
commit a83bc196e3
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 12 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
sectraining.md
View file

@ -113,3 +113,15 @@ public void doAction(HttpServletRequest request, HttpServletResponse response) {
// ... // ...
} }
``` ```
### Open Redirect
#### Java Prevention
Unless the development is aided by third-party libraries, developers must implement their own solution to determine whether the user-controlled string represents a local path or not. If the list of permitted URLs for redirection is known, implement an allow list of such URLs.
Otherwise, an easy ad hoc solution could be the following:
```java
private static boolean isLocal(String path) {
return path.startsWith("/") && !path.startsWith("//");
}
```