A redirect can be ignored by an attacker, so it’s very important to refrain from sending sensitive data that an attacker can get hold of by just ignoring the redirect.
What can happen?
The consequences of Execution After Redirect vary from case to case, which is why it is difficult to determine a general level of threat. An example of usage from the attacker's perspective is to access a page intended just for logged in users, which could result in all kinds of sensitive data being disclosed.
Example of Execution After Redirect
<?php
if (!$loggedin) {
header('location: login.php');
}
echo "This should only be shown to logged in users.";
?>This code will send the redirect, but also the data intended just for logged in users, which visitors won’t see. The attacker, however, can choose to ignore the redirect and by doing so be able to read the data intended for logged in users.
Remediation
You need to somehow get the script to not send the sensitive data after the redirect. In PHP this can be done by simply include a die(); after the redirect.
<?php
if (!$loggedin) {
header('location: login.php');
die(); // this makes sure nothing more is sent
}
echo "This should only be shown to logged in users.";
?>The script will detect that the attacker isn’t logged in and redirect them to login.php. It will then execute die(); which stops the continued execution of the page and prevents any more data from being sent.