I am pleased to announce the availability of the Allowed Redirects security feature for Oracle E-Business Suite 12.1.3. The Allowed Redirects feature is available for Oracle E-Business Suite 12.1.3 with Patch 30110924.
The HTTP response status code "302 Found" redirect is a common method for redirecting a URL. Client redirects are a potential attack vector. The Oracle E-Business Suite Allowed Redirects feature lets you define a whitelist of allowed redirects for your Oracle E-Business Suite 12.1.3 environment.
When the Allowed Redirects feature is enabled, redirects to sites that are not configured in your whitelist are forbidden. This provides defense against unknown and potentially damaging sites. The following is an example of an attack that the Allowed Redirects feature will prevent if properly configured:
Your users will see an error message if a redirect is blocked by the Allowed Redirects feature:
Note: Allowed Redirects will only block navigation to sites that happen via client redirects. It is not intended to prevent other methods for accessing external sites.