The application uses the request "Host" header value while constructing the URL to perform redirection.

Note that the host header value is user controlled and can be injected with malicious values.

The tester observed that the application relies on client host header values and does not perform any validation against an acceptable list of secure application URLs / FQDNs.

The application accepts user-controlled input that specifies a link to an external site, and uses that link in a Redirect.

This can lead to phishing and other attacks.

This application uses Host and Referrer headers from the requests to redirect the users.

However, since there is no validation on the values of these headers, a man-in-the-middle attacker can use them to redirect the users to the phishing sites.

Is there an ACO parameter we can set on this agent-based application that can prevent the above?

SiteMinder redirections are controlled via two ACOs (1)(2):

validtargetdomain
validfedtargetdomain

But those only apply to SiteMinder redirections.For an application redirection on non-SiteMinder requests, that is out of our scope.

But a common solution for this is the Akamai WAF. It has various capabilities including whitelisting.

There is code that can be executed on web servers in PHP, Ruby, ASP, etc. to also prevent bad redirections.

Configuring a CSP policy and CORS settings might be another option.

1. List of Agent Configuration Parameters
   
   
2. Help Prevent Attacks