Open Redirect
An open redirect lets attackers craft URLs on the target's domain that bounce victims to an arbitrary external site.
Definition
An open redirect is a vulnerability in which an application accepts a target URL from user input (typically a `?redirect=` or `?next=` query parameter) and issues an HTTP redirect to that URL without validating that the destination belongs to the application. The attacker uses the application's trusted domain as a launch point: a phishing email sends the victim to a URL that genuinely starts with the legitimate origin, then bounces them to the attacker's site.
The bug is "low severity" in isolation — no data is leaked, no code runs — but it amplifies every adjacent attack. Combined with an OAuth flow it leaks tokens; combined with a single-sign-on it harvests credentials; combined with SSRF it pivots between origins.
How it works
The application's login flow accepts a `?return_to=` parameter and, after authentication, issues a `302 Location: ${return_to}`. The attacker links to `https://target.com/login?return_to=https://attacker.example/`. The victim sees `target.com` in the URL bar, logs in, and is redirected to the attacker's clone — where they may enter credentials again, accept a malicious OAuth scope, or download malware.
Impact
Phishing amplification, OAuth token theft (when combined with an authorisation flow), bypass of "trusted referrer" checks elsewhere in the application.
Mitigation
Validate redirect targets against an allowlist of internal paths. Reject absolute URLs and protocol-relative URLs (`//attacker`). For OAuth, register exact `redirect_uri` values and reject any mismatch. Where a flexible redirect is required, sign the target with an HMAC and verify the signature on the redirect handler.
Examples
- CVE-2021-43798 — Grafana path traversal often presented alongside an open-redirect chain.