I have below code where veracode security scan shows open redirect flaw
response.sendRedirect(Targetlocation);
I tried
if (!ESAPI.validator().isValidRedirectLocation("Redirect", tragetlocation, true)) {
System.out.println("Bad redirect location: ");
} else {
response.sendRedirect(Targetlocation);
But still not working.
This type of flaw also requires that you provide an allow-list of what your application considers "safe" redirects. Anything that doesn't match something in that list, should be rejected and logged.
However, since Veracode is not going to know whether or not what is in the allow list is correct, you should get a security engineer to vet your corrected code and to manually mark it as remediated in the Veracode portal since the Veracode scanners will not be able to make that decision of what is safe / unsafe and hence it can't really be automated.