An open redirect occurs if an application takes a parameter and redirects the user to that URL without any other validation.
What can happen?
In most cases, Open Redirect is very easy to exploit, which increases the likelihood of someone finding the vulnerability and abusing it. However, the potential impact of Open Redirect is not necessarily that dangerous. It is mostly used in phishing attacks or in a chain attacks where Open Redirect is only one of the multiple elements used.
Example of Open Redirect
A website uses a URL like this one to redirect users to its forum:
In a situation like this, the attacker could simply change the redirect parameter to one of their choice and, by doing so, trick the user into visiting the attacker’s site. That could look something like this:
There are a few possible ways to remediate this issue.
- Try to avoid redirects altogether. In most cases, they are not needed.
- If a redirect is necessary, do not trust user input for its destination.
- Map the destination input to a value that the server then translates to the original value before doing the redirect. This prevents the attacker from changing it.
- Have a list of allowed URLs - this can be done with regex. Be carefully with this as it's easy to make mistakes without realizing.
- If none of the above is possible, force all redirects to a page where the user will have to click a button to confirm they are leaving your site.
One common, but insufficient, remediation method is ensuring that the URL starts with a ‘/’. An attacker could easily bypass that by just using ‘//’ instead of ‘https://’.