AppSecExplained
Search
⌃K

Open redirect

What is it?

An Open Redirect Vulnerability allows an attacker to redirect a user to an arbitrary website of the attacker's choosing. It occurs when an application incorporates user-supplied data into a URL which causes a redirection to that URL. This can be used to facilitate phishing attacks, steal sensitive information, or perform other malicious activities.
A simple example
Consider a website that uses a URL parameter to redirect the user to a specified page. For example: http://website.com/redirect?site=http://some-site.com. An attacker could replace "http://some-site.com" with a malicious site, then trick a user into following the crafted link.
Open Redirects can lead to: Phishing attacks Disclosure of sensitive information Malware installation Execution of arbitrary scripts
Other learning resources: OWASP: https://owasp.org/www-community/attacks/Unvalidated_Redirects_and_Forwards PortSwigger: https://portswigger.net/web-security/unvalidated-redirects

Checklist

  • Does the application use redirection functions that include user-supplied input?
  • Are redirects implemented without validation of the target URL?
  • Can an attacker manipulate the redirection URL to point to an arbitrary domain?
  • Does the application append user-supplied input into the URL causing the redirection?

Exploitation

Craft an URL with redirection to a malicious site
http://website.com/redirect?site=http://malicious-site.com
Trick the user into clicking the link
"You've won a prize! Click here to claim: http://website.com/redirect?site=http://malicious-site.com"