ESAPI Swingset Interactive - HttpSecurity
Unvalidated Redirects/Forwards
Web Application Redirects and Forwards are very common and frequently include user supplied parameters in the destination URL. If they aren't validated, an attacker can potentially send victims to a site of their choice (say a phishing or malware site). Internal Redirects can also cause problems if not validated. An attacker may be able to bypass authentication or authorization checks.