Application Security · Learn

What is an open redirect?

An open redirect lets an attacker use a trusted site’s own link to send users to a malicious destination, powering phishing and helping bypass other controls. Here is what it is and how to validate redirects properly.

Application Security · LearnApplication Penetration Testing
TL;DR

An open redirect is a vulnerability where an application redirects users to a URL taken from user input without validating it, so an attacker crafts a link on the trusted domain that bounces the victim to a malicious site. On its own it mainly enables convincing phishing (the link starts with your real domain), but it also helps bypass allow-lists and amplifies attacks like SSRF and OAuth token theft. The fix is to never redirect to a raw user-supplied URL, using an allow-list or relative paths instead.

By Shubham Khandare, Delivery Manager, SecureLayer7Updated

What an open redirect is

Sites often redirect after an action, for example ?next=/dashboard after login. An open redirect is when that destination comes from user input and is not checked, so an attacker supplies an external URL.

The victim sees a link that begins with the trusted site, clicks it trusting the domain, and is bounced to the attacker’s site. The trust placed in the legitimate domain is exactly what the attacker borrows.

How it works and example

The attacker crafts a link using the site’s redirect parameter:

  • https://trusted.example/login?next=https://evil.example sends the user to the attacker after login.
  • Bypasses of naive checks: //evil.example (protocol-relative), https://trusted.example.evil.example, whitespace/encoding tricks, or @ confusion (https://trusted.example@evil.example).
  • Chained into OAuth/OIDC flows, an open redirect can steal authorization codes or tokens.

Examples shown for defensive context.

How to fix it

  • Avoid user-supplied redirect targets. Prefer relative paths or a server-side mapping (a short token to a known destination).
  • Allow-list destinations (exact hosts/paths) and reject anything else, after decoding.
  • Reject protocol-relative and absolute external URLs where only internal redirects are intended.
  • Show an interstitial for any unavoidable external redirect.
  • Test every redirect parameter, including OAuth redirect_uri handling.

References

  1. [1]OWASP: Unvalidated Redirects and Forwards(OWASP)
  2. [2]MITRE CWE-601: URL Redirection to Untrusted Site(MITRE CWE)
  3. [3]OWASP Top 10(OWASP)
Related terms

Common questions

Open redirect, asked often

Want your application tested for this?

Scope an engagement

Test your application for open redirect and 30+ other classes.

Our application penetration test is manual, evidence-led, and built so your developers can reproduce and fix every finding. Each engagement ships with proof-of-exploit and a free re-test.

See the methodology30-min scoping call, fixed-price proposal in 48 hours.