🚀 Invicti Acquires Kondukto to Deliver Proof-Based Application Security Posture Management
An open redirect is a vulnerability that allows your website, web application, or API to be used as a tool to trick others into visiting malicious sites. Similar to reflected cross-site scripting, open redirects are most often used in phishing attempts and other social engineering attacks. If someone receives a link that looks legitimate because it contains your domain name, they are more likely to click that link – and when they do, the open redirect vulnerability in your web application will be used to redirect the victim to a site controlled by a malicious hacker.
Open redirects are a specific type of unvalidated redirects and forwards.
Severity: |
![]() ![]() ![]() ![]() |
severe |
Prevalence: |
![]() ![]() ![]() |
discovered regularly |
Scope: |
![]() ![]() |
web applications that use redirects |
Technical impact: | victims visit malicious websites | |
Worst-case consequences: | severe reputation loss | |
Quick fix: | do not redirect to URLs provided by user input |
Websites and web applications can change the URL accessed by a client:
There are several ways that web applications can perform such changes from the back-end, including:
Redirects and forwards can be static (hard-coded in the web application) or dynamic (influenced by the client).
A dynamic redirect is considered unsafe if the destination URL can be manipulated by the client (for example, constructed from parameters provided by the client). It is considered open if the client can directly provide the target URL and no sanitization is performed. Here are some examples of safe redirects and unsafe/open redirections:
In general, whenever you use a dynamic redirect (based on data from the client), you should treat the URL inputs as untrusted data. Otherwise, attackers may be able to redirect the browser to a malicious site and use your domain name to fool the victim.
For example, if your domain is example.com, the attacker may create a URL with the following query string for the url parameter:
http://www.example.com/redirect.php?url=http://shadow.vulnweb.com
The attacker may then send this URL as part of a phishing attack to redirect the victim to a malicious website at shadow.vulnweb.com. The attacker would be hoping that example.com at the beginning will make the URL more trustworthy and persuade the user to click on the link and fall for the phishing scam.
The following simple PHP code creates an open redirect:
$redirect = $_GET['url'];
header("Location: " . $redirect);
This is an open redirection vulnerability because the attacker may supply a malicious website URL in the url parameter value of the GET request. This target URL will then be sent unsanitized in the Location header, redirecting the client to a malicious web page.
If you have an open redirection vulnerability, it makes many other attacks possible:
The best way to detect open redirection vulnerabilities varies depending on whether they are already known or unknown.
The safest way to prevent open redirection vulnerabilities is not to use any redirections in your web applications. If this is not possible, you can attempt the following approaches:
There is no way to fully prevent developers from using redirections, whether by configuring the web server or by setting up the development environments. This is due to the variety of methods that can be used to perform redirection, as well as the fact that web development languages such as Java or PHP rarely provide specific language constructs for URL redirection only.
End-users may attempt mitigation by relying on specific browser configurations or extensions. The wikiHow article on blocking page redirects has an extensive list of instructions for turning off automatic redirections in different browsers.
Classification | ID |
---|---|
CAPEC | 194 |
CWE | 601 |
WASC | 38 |
OWASP 2021 | A1 |
An open redirect is a web application security issue that lets a malicious hacker use a vulnerable website or web application to change the URL in the user’s browser. Most often, the victim visits the vulnerable website via a provided link, and the website then redirects them to a malicious location.
Learn more about the general dangers of unvalidated redirects and forwards.
Open redirections are most often used in phishing attacks but, in some cases, may also let the attacker exploit other vulnerabilities, such as XSS, SSRF, or CRLF injection. Specifically, open redirections are very useful for attackers to evade filters created to prevent other vulnerabilities.
The best way to avoid open redirects is to refrain from using any dynamic redirects in your web applications. Static redirects, i.e. ones leading to URLs that are hard-coded into the application, are safe. If that is not possible, filter user input against a whitelist. Any other methods, such as blacklists, may be evaded by sophisticated attackers.
Read about general cybersecurity best practices concerning user input in web applications.