JD Tech

Mar 15, 2019 · Information Security

Arbitrary URL Redirect Vulnerability and Pitfalls of Java URL.getHost()

The article analyzes an arbitrary URL redirect flaw caused by unchecked returnUrl parameters, demonstrates how Java's URL.getHost() can be misused through backslash and hash bypasses, and provides a robust validation code snippet that works across JDK versions.