Update sectraining.md

2024-02-05 11:54:41 +01:00 · 2024-02-05 11:54:41 +01:00 · a83bc196e3
commit a83bc196e3
parent 84200f0bcf
1 changed files with 12 additions and 0 deletions
--- a/sectraining.md
+++ b/sectraining.md
@ -113,3 +113,15 @@ public void doAction(HttpServletRequest request, HttpServletResponse response) {
 	// ...
 }
 ```
+
+### Open Redirect
+
+#### Java Prevention
+Unless the development is aided by third-party libraries, developers must implement their own solution to determine whether the user-controlled string represents a local path or not. If the list of permitted URLs for redirection is known, implement an allow list of such URLs.
+
+Otherwise, an easy ad hoc solution could be the following:
+```java
+private static boolean isLocal(String path) {
+    return path.startsWith("/") && !path.startsWith("//");
+}
+```