Open Redirect Vulnerabilities: How Attackers Abuse URL Redirects

An open redirect vulnerability exists when your website accepts user-controlled input in a URL parameter and redirects users to that URL without validation. Attackers exploit this to craft phishing URLs that appear to originate from your trusted domain, making them far more convincing than a direct link to a malicious site.

How Open Redirects Work

Many web applications use URL parameters to redirect users after actions like login, logout, or form submission:

https://yoursite.com/login?redirect=/dashboard

If the application doesn't validate the redirect parameter, an attacker can craft:

https://yoursite.com/login?redirect=https://evil-site.com/phishing

The victim sees your trusted domain in the URL, logs in, and gets silently redirected to the attacker's site — which may look identical to yours and ask for additional credentials or payment information.

Why Open Redirects Are Dangerous

• Phishing amplification: Your domain's reputation makes phishing links more convincing and bypasses email filters
• OAuth token theft: Attackers can steal authorization codes by redirecting OAuth callbacks to their server
• Chain attacks: Open redirects can be combined with SSRF or XSS to escalate the impact
• SEO poisoning: Spammers use your domain's authority to redirect link juice to their sites
• Trust erosion: Users lose confidence when your site sends them to unexpected destinations

Common Vulnerable Patterns

Query Parameter Redirects

// Vulnerable: no validation
app.get('/redirect', (req, res) => {
  res.redirect(req.query.url);
});

Post-Login Redirects

// Vulnerable: redirect after authentication
app.post('/login', (req, res) => {
  authenticate(req.body);
  res.redirect(req.body.returnUrl);
});

Meta Refresh and JavaScript Redirects

<!-- Vulnerable: user-controlled meta refresh -->
<meta http-equiv="refresh" content="0;url=USER_INPUT">

<!-- Vulnerable: user-controlled JavaScript redirect -->
<script>window.location = userInput;</script>

How to Prevent Open Redirects

1. Whitelist Allowed Destinations

The most secure approach — only allow redirects to a predefined list of URLs or paths:

const allowedRedirects = ['/dashboard', '/profile', '/settings'];

app.get('/redirect', (req, res) => {
  const target = req.query.url;
  if (allowedRedirects.includes(target)) {
    res.redirect(target);
  } else {
    res.redirect('/');
  }
});

2. Restrict to Relative Paths

Only allow relative paths (starting with /) and reject absolute URLs:

function isSafeRedirect(url) {
  // Must start with / and not with // (protocol-relative URL)
  return url.startsWith('/') && !url.startsWith('//');
}

app.get('/redirect', (req, res) => {
  const target = req.query.url;
  res.redirect(isSafeRedirect(target) ? target : '/');
});

3. Validate Against Your Domain

If you must allow absolute URLs, verify the hostname matches your domain:

function isInternalUrl(url, allowedHost) {
  try {
    const parsed = new URL(url);
    return parsed.hostname === allowedHost;
  } catch {
    return false;
  }
}

4. Use Signed Redirect Tokens

For redirects that must go to external sites, use HMAC-signed tokens that can't be forged:

const token = hmacSign(redirectUrl + timestamp, secretKey);
// Verify the token before redirecting

Bypass Techniques to Watch For

Attackers use creative techniques to bypass redirect validation:

• URL encoding: %68%74%74%70%73%3a%2f%2f decodes to https://
• Domain confusion: https://yoursite.com@evil.com — the browser navigates to evil.com
• Protocol-relative: //evil.com bypasses checks for http:// or https://
• Backslash trick: https://yoursite.com\.evil.com may be parsed differently
• Data URIs: data:text/html,<script>... can execute JavaScript

Testing for Open Redirects

1. Identify all redirect parameters in your application (url, redirect, return, next, goto, target)
2. Test each with an external URL like https://example.com
3. Try bypass techniques: URL encoding, protocol-relative URLs, domain confusion
4. Check both GET and POST parameters
5. Run a SecScanner scan — the Open Redirect Detection check automatically identifies vulnerable redirect patterns

Open Redirect Prevention Checklist

• Audit all redirect endpoints in your application
• Implement whitelist-based validation for redirect targets
• Reject absolute URLs unless the domain is verified
• Block protocol-relative URLs (//evil.com)
• URL-decode input before validation to prevent encoding bypasses
• Use POST instead of GET for redirect parameters when possible
• Log all redirect attempts for security monitoring
• Run regular security scans with SecScanner to catch regressions

Open redirects are often underestimated but can be devastating in phishing campaigns. Validating redirect targets is a simple defense that protects both your users and your domain's reputation.