Open Redirect
An open redirect is a vulnerability that occurs when a web application accepts user-controlled input to determine the destination of a redirect without properly validating it. Attackers exploit this to redirect users to malicious sites while appearing to originate from a trusted domain.
Open redirect vulnerabilities arise when web applications use user-supplied parameters to construct redirect URLs. Common patterns include login pages that redirect to a return URL after authentication, link shorteners, and any functionality that forwards users based on a URL parameter. When these destinations are not validated, attackers can craft links that appear to point to the legitimate site but ultimately redirect victims to malicious destinations.
The primary risk of open redirects is enabling more convincing phishing attacks. Because the initial link contains the trusted domain, it can bypass email filters, URL reputation checks, and user suspicion. Victims who see a familiar domain in the URL are more likely to trust the destination page, making credential harvesting attacks significantly more effective.
Open redirects can also be chained with other vulnerabilities. They are commonly used to bypass SSRF protections, steal OAuth tokens by redirecting authorisation codes to attacker-controlled servers, or bypass content security restrictions. In OAuth flows, an open redirect on the client application can lead to full account takeover.
Mitigation strategies include avoiding user-controlled redirect destinations wherever possible, maintaining a strict allowlist of permitted redirect URLs or domains, using indirect references (such as mapping IDs to pre-defined URLs), validating that redirect targets stay within the same domain, and warning users before redirecting them to external sites.