1. Introduction

In this tutorial, we will delve into the concept of unvalidated redirects and forwards, which is a common vulnerability in web applications. A web application might be manipulated into redirecting or forwarding a user to an unexpected, potentially malicious URL. By the end of this tutorial, you will understand the risks associated with these vulnerabilities and how to prevent them in your web applications.

What you'll learn:
- What unvalidated redirects and forwards are
- The potential risks they pose
- How to prevent unvalidated redirects and forwards in your web applications

Prerequisites:
- Basic understanding of web development
- Familiarity with a server-side language such as PHP, JavaScript (Node.js), Python, or Java.

2. Step-by-Step Guide

Unvalidated redirects and forwards occur when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input.

Example:

// PHP code vulnerable to unvalidated redirects
header("Location: " . $_GET['url']);

In the above example, an attacker could provide a malicious URL as a parameter, causing users to be redirected to a harmful site.

Best Practice:

To prevent unvalidated redirects and forwards, avoid using user input to determine the destination of redirects and forwards. If it's necessary, ensure that the supplied value is valid, and is authorized for the user.

3. Code Examples

Example 1: Ensuring only valid URLs are used in redirects (PHP)

$allowed_urls = ['https://yourwebsite.com/page1', 'https://yourwebsite.com/page2'];

if(in_array($_GET['url'], $allowed_urls)){
    header("Location: " . $_GET['url']);
} else {
    // Redirect to a default page
    header("Location: https://yourwebsite.com/error");
}

Example 2: Preventing unvalidated forwards in Java

// Java code vulnerable to unvalidated forwards
request.getRequestDispatcher("/" + request.getParameter("page")).forward(request, response);

// Java code safe from unvalidated forwards
String page = request.getParameter("page");
if (page.equals("home") || page.equals("about") || page.equals("contact")) {
    request.getRequestDispatcher("/" + page).forward(request, response);
} else {
    response.sendRedirect("error.jsp");
}

4. Summary

In this tutorial, we covered what unvalidated redirects and forwards are, why they are a security risk, and how to mitigate these risks. The best way to prevent unvalidated redirects and forwards is to avoid using user input to determine the destination. If user input is necessary, ensure the supplied value is valid and authorized for the user.

5. Practice Exercises

Exercise 1: Given an array of valid URLs, write a function in PHP that only redirects to these URLs. If an invalid URL is provided, the function should redirect to a default error page.

Exercise 2: In Java, modify the provided code that uses request.getRequestDispatcher() to forward the request to a new page based on user input. Ensure that the new page is one of "home", "about", or "contact". If an invalid page is provided, redirect the user to an error page.

Solutions:

Please refer to the code examples provided in section 3 for the solutions to these exercises.

Keep practicing to further solidify your understanding of preventing unvalidated redirects and forwards.