CWE-698

Base Abstraction Level
Pillar — Highest-level weakness category
Class — Abstract, language-independent
Base — Specific enough to detect
Variant — Tied to specific technology
Compound — Requires multiple weaknesses
Incomplete MITRE CWE Status
Stable — Fully reviewed and complete
Draft — Under development, may change
Incomplete — Partially defined by MITRE
Deprecated — No longer recommended
Obsolete — Replaced by another CWE
Execution After Redirect (EAR)

Description

The web application sends a redirect to another location, but instead of exiting, it executes additional code.

Top Monitored CVEs

Consequences

Other, Confidentiality, Integrity, Availability — Alter Execution Logic, Execute Unauthorized Code or Commands

This weakness could affect the control flow of the application and allow execution of untrusted code.

Detection

Black Box

This issue might not be detected if testing is performed using a web browser, because the browser might obey the redirect and move the user to a different page before the application has produced outputs that indicate something is amiss.