Route follows redirections from external APIs

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Description

An API endpoint follows redirections from external APIs. When an application automatically follows HTTP redirects returned by a third-party API, it may be tricked into sending requests to unintended or malicious destinations. An attacker who controls or compromises the external API could redirect your application to internal services, exposing sensitive data or enabling server-side request forgery (SSRF).

Rationale

This finding works by identifying an API route that follows HTTP redirections (3xx responses) when communicating with external APIs, rather than handling them explicitly.

Remediation

  • Disable automatic redirect following for HTTP clients calling external APIs
  • If redirections must be followed, validate the target URL against an allowlist before following
  • Log and monitor unexpected redirections for anomaly detection

References

ReferenceDescription
OWASP API10:2023 - Unsafe Consumption of APIsOWASP API Security guidance on safely consuming third-party APIs.