Skip to content
Fast-turnaround security assessments available — 10+ years development & security experienceGet started
Back to Glossary
Glossary2 min read

Open Redirect

A vulnerability where an application redirects users to arbitrary external URLs based on user-controlled input without proper validation.

An open redirect is a vulnerability that occurs when a web application accepts a user-controlled URL parameter and redirects the user to that URL without validating that the destination is trusted. Attackers exploit this to redirect victims to malicious sites while the link appears to originate from a legitimate domain.

How It Works

Many applications implement redirect functionality for legitimate purposes — returning users to their original page after login, tracking outbound clicks, or handling URL shortening. These features typically take the redirect destination as a query parameter, such as https://trusted-site.com/login?redirect=https://evil-site.com.

When the application does not validate the redirect target, an attacker can craft a URL that appears to come from the trusted domain but sends the user to a malicious site. Phishing attacks leverage this heavily. A victim sees a link pointing to their bank's domain, clicks it, and is silently redirected to a convincing phishing page that harvests their credentials.

Bypass techniques are numerous. Validation that checks for a trusted domain prefix can be defeated with trusted-site.com.evil.com. Checks for a domain substring can be bypassed with evil-trusted-site.com. URL encoding, double encoding, backslash substitution (https://trusted-site.com\@evil.com), and protocol-relative URLs (//evil.com) are common evasion methods.

Open redirects also serve as building blocks for more severe attacks. In OAuth flows, an open redirect on the callback domain can be used to steal authorization codes. Combined with other vulnerabilities, open redirects enable server-side request forgery, header injection, or token theft.

Prevention

Maintain an allowlist of permitted redirect destinations and reject any URL that does not match. For redirects within the same application, use relative paths instead of absolute URLs. If external redirects are necessary, use an intermediate confirmation page that shows the user where they are being redirected. Avoid relying on blacklists or pattern matching, as attackers consistently find bypass techniques.

Why It Matters

Open redirects abuse the trust users place in legitimate domains. While sometimes classified as low severity in isolation, they are frequently chained with other vulnerabilities to achieve account takeover, credential theft, and token exfiltration in OAuth implementations.

Need your application tested? Get in touch.

Related terms

OAuthOriginSecurity Misconfiguration

Go deeper

Read full articleRead full article

Need your application tested?

We find these vulnerabilities in real applications every day.

Request an Assessment