John Herron brought my attention to an article he posted on NIST.org (Network Information Security Technology) where he discusses redirection holes and their practical security issues. I think he does a really good job of explaining the problem, where I might have failed over the last few weeks. From a web-application security threat, the problem is relatively low, but from a social engineering, and obfuscation perspective the threat is still not properly understood, in my opinion.
One thing he mentions in his article is something I have attempted to demonstrate on the bottom of the XSS Cheat Sheet, which is that URL obfuscation can further make this issue more difficult to both detect and to even see. He’s really done a good job of showing something I haven’t discussed, which is that by adding extra parameters, it can make it nearly impossible to tell what is going on. It’s worth reading if you still think redirection is a non-issue.