Route follows redirections from external APIs

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

An API endpoint follows redirections from external APIs. When an application automatically follows HTTP redirects returned by a third-party API, it may be tricked into sending requests to unintended or malicious destinations. An attacker who controls or compromises the external API could redirect your application to internal services, exposing sensitive data or enabling server-side request forgery (SSRF).

Rationale

This finding works by identifying an API route that follows HTTP redirections (3xx responses) when communicating with external APIs, rather than handling them explicitly.

Remediation

  • Disable automatic redirect following for HTTP clients calling external APIs
  • If redirections must be followed, validate the target URL against an allowlist before following
  • Log and monitor unexpected redirections for anomaly detection

References

ReferenceDescription
OWASP API10:2023 - Unsafe Consumption of APIsOWASP API Security guidance on safely consuming third-party APIs.