Open Redirect is a web application vulnerability where an attacker tricks the application into redirecting users to a malicious or untrusted external site by manipulating URL parameters or links.
redirect url next return destination r forward go checkout continue
https://oauth-provider.com/auth? client_id=123& redirect_uri=https://attacker.com/callback
window.location.href = new URLSearchParams(
window.location.search
).get('redirect');// Double encoding %252F%252Fevil.com // UTF-8 encoding %C2%A0evil.com // HTML entities //evil.com
// Missing protocol //evil.com/path // JavaScript protocol javascript:alert(1) // Data URI data:text/html,<script>alert(1)</script>
1. Victim receives: https://trusted.com/login?redirect=phish.com 2. Trusted site redirects to phishing page 3. Phishing page steals credentials
<form action="https://bank.com/transfer" method="POST"> <input type="hidden" name="amount" value="1000"> <input type="hidden" name="to" value="attacker"> </form> <script>document.forms[0].submit()</script>
// Python example
ALLOWED_DOMAINS = ['example.com', 'trusted.org']
def safe_redirect(url):
domain = urlparse(url).netloc
if domain not in ALLOWED_DOMAINS:
return "/" # Default safe location
return url// Only allow paths, not full URLs
function validateRedirect(path) {
return path.startsWith('/') ? path : '/';
}from django.utils.http import is_safe_url
redirect_to = request.GET.get('next')
if not is_safe_url(redirect_to, allowed_hosts=request.get_host()):
redirect_to = '/'@Controller
public class RedirectController {
public String redirect(@RequestParam String url) {
// Validate URL against whitelist
if (!SecurityUtils.isSafe(url)) {
return "redirect:/";
}
return "redirect:" + url;
}
}Content-Security-Policy: default-src 'self'; form-action 'self'; frame-ancestors 'none'
Referrer-Policy: strict-origin-when-cross-origin
This content is provided for educational purposes only. Never test security vulnerabilities against systems without explicit permission. Unauthorized testing may violate laws.