SecPrep logoSecPrep

What is an open redirect and how can it be exploited and prevented?

An open redirect is a vulnerability where an application uses an attacker-controlled URL parameter to redirect the browser to an arbitrary destination, with no validation.

Example: https://bank.com/login?next=https://evil.com/phish. After login, the app redirects to the next parameter without checking it. The attacker sends victims this link — it originates from bank.com (trusted domain, passes link-preview checks), but lands them on a phishing page.

Exploitation uses:

  • Phishing: the legitimate domain lends credibility; victims don't notice the redirect.
  • OAuth token theft: some OAuth flows pass the redirect URI in a parameter; an open redirect on the registered domain can be chained with a misconfigured redirect_uri to steal authorization codes or access tokens.
  • SSRF facilitation: server-side fetches that follow redirects can be redirected to internal services.

Prevention:

  1. Allow-list only: if you need post-login redirects, validate that the next URL is a relative path (/dashboard) or matches a list of approved URLs. Reject any URL with a host/scheme.
  2. Relative paths only: startsWith('/') is not sufficient (e.g. //evil.com is a protocol-relative URL). Use URL parsing and check origin === window.location.origin.
  3. Warn before external redirect if you must redirect off-domain.
  4. Avoid passing redirect targets in URL parameters where possible; prefer session state.

References

Practice this in the app →