Arbitrary URL Redirect Vulnerability and Pitfalls of Java URL.getHost()

The article explains the arbitrary URL redirect vulnerability caused by insufficient validation of the returnUrl parameter on the server side, which can be exploited for phishing attacks.

It presents a basic mitigation in Java by retrieving the host of the supplied URL using new URL(url).getHost() and checking whether it ends with the expected domain (e.g., ".bbb.com").

However, the article reveals two pitfalls of the URL.getHost() method: (1) it can be bypassed with backslashes (e.g., "http://www.aaa.com\\www.bbb.com") because the method treats the backslash as a normal character; (2) different JDK versions handle the fragment identifier (#) differently, allowing low‑version JDKs to include the fragment in the host value and bypass the domain check.

Code examples demonstrate these bypasses and show how the host value varies across JDK versions (1.6, 1.7, 1.8). Screenshots illustrate the differing outputs.

To securely use getHost() , the article proposes sanitizing the URL by removing backslashes and hash symbols before extracting the host, then performing the domain check. The following robust validation code is provided:

String url = request.getParameter("returnUrl");
String host = "";
try {
    // Remove backslashes and hash symbols
    url = url.replaceAll("[\\\\#]", "");
    host = new URL(url).getHost();
} catch (MalformedURLException e) {
    e.printStackTrace();
}
if (host.endsWith(".bbb.com")) {
    // redirect
} else {
    // do not redirect, report error
}

A real‑world case is given where an attacker can craft a URL such as "https://www.baidu.com#www.bbb.com?x=123" to bypass the check and cause a 302 redirect to an external site.

References to related technical articles are listed at the end.