Scoring 3.0 Severity: High
Factor: Application Security
Summary
The Issue type Redirect Chain Contains HTTP (redirect_chain_contains_http_v2) identifies URL redirect chain containing at least one HTTP URL between the Initial URL and the Final URL.
For example the re-direct chain for the URL http://2-rns.com/ looks like below:
Initial URL: http://2-rns.com/ (HTTP 301) -->
http://examplebucle.net/ (HTTP 301) -->
https://examplebucle.net/ (HTTP 301) -->
Final URL: https://www.examplebucle.com/ (HTTP 200)
The HTTP 301 redirect to http://examplebucle.net/ above is causing this finding to be raised.
Description
A redirect chain refers to a series of consecutive redirects that occur when a user or browser attempts to access a specific web page or resource. These redirects are a sequence of HTTP responses that guide the user from one URL to another. Redirect chains are implemented for various reasons, including URL changes, ensuring secure connections through HTTPS or indicating a resource has moved. Efficient management of redirect chains is essential for maintaining a seamless user experience and optimizing website performance.
Risk
A redirect chain containing HTTP introduces security risks by exposing user data to potential interception and manipulation. When one or more steps in the chain involve unencrypted HTTP connections, sensitive information becomes susceptible to eavesdropping by malicious actors. This scenario increases the likelihood of man-in-the-middle attacks, where adversaries could exploit the lack of encryption to compromise data integrity and confidentiality. Additionally, users may be redirected to unsecured destinations, creating opportunities for phishing or other malicious activities.
Recommendation
- Ensure all URLs involved in the redirect chain use HTTPS to encrypt the communication between the user and the server.
- Review and update any outdated or unsecure redirects, replacing HTTP with HTTPS where necessary.
- Use relative paths in redirects to avoid specifying the protocol, allowing the browser to maintain the current secure connection.
- Verify that server configurations and web server settings are appropriately configured to enforce HTTPS throughout the redirect chain.
- Periodically review and update redirects to align with security best practices and accommodate changes in website structure or requirements.
Additional Information
The severity in Scoring 3.0 is High. It is based on breach risk and determined by SecurityScorecard based on SecurityScorecard data using ML/AI. See Scoring Methodology Whitepaper
The Age-Out/Decay period is 45 days since the last observation date.
Self testing
You may validate the redirection chain by using the Initial URL described in the finding with the following 3rd Party tools. All can be used to confront contradictory results. However when comparing results, ensure that the endpoint scanned by each is exactly the same information and matching the SecurityScorecard finding Initial URL.
- Redirect-Checker https://www.redirect-checker.org/
- WhereGoes https://wheregoes.com/
Remediation
SecurityScorecard allows the removal of findings if either of the following is true:
- Endpoint configuration has been changed, redirection to HTTPS endpoint instead of HTTP via Server-side redirect (HTTP 30X Status code) is now in place.
=> Select the finding and then click on the "Fixed" button, "technical_remediation". - The endpoint has been closed and therefore not offering any HTTP endpoint for a redirection.
=> Select the finding and then click on the "Fixed" button, "technical_remediation". - After verification (using the methods above for example), the redirect chain defined in the finding contains only HTTPS URLs in the contrary of what SecurityScorecard is stating.
=> Select the finding and then click on "Other resolutions" --> "I cannot reproduce this issue and I think it’s incorrect", "false_positive". - If there is HSTS Header present on the Final URL in the re-direction with max-age directive set with at least
31536000seconds (1 year).
=> Select the finding and then click on "Other resolutions" --> "I have a compensating control", "compensating_control". - Bot detection is in place causing the scanner to not detect properly the redirection.
=> Select the finding and then click on "Other resolutions" --> "I have a compensating control", "compensating_control".