update README.md

TempeHS · Nov 17, 2024 · 9ae3f04 · 9ae3f04
1 parent 83e8b21
commit 9ae3f04
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 7 deletions.
diff --git a/...es/invalid_forward_and_redirect/README.md → .../invalid_forwards_and_redirects/README.md b/...es/invalid_forward_and_redirect/README.md → .../invalid_forwards_and_redirects/README.md
@@ -1,21 +1,21 @@
-# Invalid Forward and Redirect
+# Invalid Forwards and Redirects
 
 Invalid (or unvalidated) forwards and redirects are a form of user-controlled input in which a web application accepts untrusted input that could cause the web application to redirect. Because the domain name in the modified link is identical to the trusted domain name, phishing attempts may appear more trustworthy.
 
 This vulnerability is often combined with a CSRF, man in the middle or website spoofing as a more complex threat vector.
 
 ```HTTP
-https://www.trustedwebsite.com/examples/example.php?url=http://malicious.com
+https://www.trustedwebsite.com/examples/example.php?url=http://www.malicious.com
 ```
 
-| Protocol | subdomain | domain             | path     | endpoint     | parameters               |
-| -------- | --------- | ------------------ | -------- | ------------ | ------------------------ |
-| https    | www       | trustedwebsite.com | examples | example.html | url=http://malicious.com |
+| Protocol | subdomain | domain             | path     | endpoint     | parameters                   |
+| -------- | --------- | ------------------ | -------- | ------------ | ---------------------------- |
+| https    | www       | trustedwebsite.com | examples | example.html | url=http://www.malicious.com |
 
 ## How to penetrate test for this vulnerability
 
 1. Look for forms collecting URLs that are rendered on the front end. Enter a malicious URL and see if it validates and renders.
-2. Look for frontend URL, path, or endpoint parameter passing, construct a URL to an untrusted domain, and test whether the site redirects.
+2. Look for frontend URL, path, or endpoint parameter passing, construct a URL to an untrusted domain, and test whether the site redirects. `https://127.0.0.1:5000?url=http://www.malicious.com`
 
 ## How to countermeasure this vulnerability
 

diff --git a/README.md b/README.md
@@ -114,7 +114,7 @@ To support students first understanding specific security vulnerabilities and pr
 - [Encrypting passwords](.student_resources/encrypting_passwords/README.md).
 - [Exception management](.student_resources/defensive_data_handling/README.md#exception-handling).
 - [Defensive data handling](.student_resources/defensive_data_handling/README.md).
-- [Invalid forward and redirect](.student_resources/invalid_forward_and_redirect/README.md).
+- [Invalid forwards and redirects](.student_resources/invalid_forwards_and_redirects/README.md).
 - [Race conditions](.student_resources/race_conditions).
 - [Secure input form attributes](.student_resources/secure_form_attributes/README.md).
 - [SQL injection](.student_resources/SQL_Injection/README.md).