views:

21

answers:

0

I've been going through the OWASP top 10 to get a deeper understanding of each specific type of vulnerability. I've made my way to the last item, Unvalidated URL Redirects. I understand the attack; such a phishing scheme seems completely obviously now that I have read about it in OWASP. What I am struggling to understand is why this style of redirecting ever occurs in the first place.

There must be some advantage(s) to including the redirect URL as a parameter in the URL

ie example.com/go.php?url=newpage.php

rather than using many of the other possible redirect schemes. Even if the url parameter is generated dynamically, couldn't it still be sent through POST to prevent the creation of malicious URLS? Why does Google allow anyone to send "I'm Feeling Lucky" redirect urls like this one that goes to Stack Overflow?