Open Redirect
Home /
Glossary Index /
Alphabet O
A link on a trusted website sends you to your bank. Or does it? Open redirect vulnerabilities allow attackers to turn legitimate domains into phishing launchpads. You see a URL starting with your trusted bank’s domain. You click. The site redirects you to a fake banking page that looks identical to the real one. You enter your credentials. The attacker now has your username and password. Open redirects seem simple. Their real danger comes from exploitation chains.
What Is an Open Redirect?
Open redirect (also known as unvalidated redirects and forwards) is a vulnerability that occurs when a web application redirects users to a URL supplied via an unvalidated parameter. While open redirects can be used for phishing on their own, their primary value to attackers is as a component in exploit chains. They allow an attacker to bypass domain-based validation checks and redirect security-sensitive flows, such as OAuth authorization, through the legitimate domain to an attacker-controlled destination. OWASP classifies open redirect under Broken Access Control (A01:2025) in the OWASP Top 10.
How Open Redirects Work
Many web applications redirect users as part of normal workflows. A site might redirect back to a requested page after login. It might forward to a partner site after completing an action. It might handle OAuth callback URLs. When the redirect target comes from user-controlled input and is not validated, an attacker can substitute a malicious URL. The legitimate application performs the redirect because it trusts the parameter. The victim lands on the attacker’s site but arrived via a trusted domain.
Real-World Impact
The most common use of open redirects is phishing. Because the link starts with a legitimate domain, victims trust it and click through. The application then silently redirects them to an attacker-controlled site that mimics the real login page, harvesting their credentials. The main danger of open redirects is as building blocks in exploit chains. Security-critical systems like OAuth authorization servers validate that redirect_uri belongs to a trusted domain. If that trusted domain contains an open redirect, the attacker can supply a redirect_uri that passes validation but ultimately forwards the user along with authorization codes or tokens to an attacker-controlled server. Open redirects can similarly bypass SSRF protections when a server-side request to a trusted domain gets redirected to an internal resource.
Common Open Redirect Locations
Login flows with a next parameter. Example: /login?next=https://attacker.com. Post-action redirects like /logout?return_to=https://attacker.com. Generic redirect endpoints like /go?url=https://attacker.com, often left over from marketing or link-tracking features.
Prevention Strategies
Never trust user-supplied redirect URLs without validation. Validate redirect targets against an allowlist of approved domains. Use relative paths instead of full URLs when possible. Avoid generic redirect endpoints that forward arbitrary URLs. If you must redirect, validate the target belongs to your domain or a trusted partner. Implement integrity checks on redirect parameters. Test your applications for open redirect vulnerabilities using both manual and automated tools.
The OAuth Connection
Open redirects are especially dangerous in OAuth implementations. OAuth requires that redirect_uri belong to a trusted domain. An open redirect on that domain allows attackers to steal authorization codes. The fix is strict redirect_uri validation and requiring PKCE. OAuth implementations that do not enforce exact redirect_uri matching or do not require PKCE are vulnerable.
Open redirects are often dismissed as low severity. This is a mistake. In isolation, they enable phishing. In exploit chains, they enable token theft, SSRF attacks, and full account compromise. Validate every redirect target. Always.