Open Redirect
Understand how open redirect vulnerabilities enable phishing attacks and security bypasses. Learn to exploit redirect parameters without validation to redirect users to malicious sites.
Introduction to Open Redirect
theoryLearn what open redirect vulnerabilities are, why they matter, and common attack scenarios.
Introduction to Open Redirect
What is an Open Redirect?
An open redirect occurs when an application sends users to a destination URL controlled by user input, without validation.
Example
GET /redirect?next=https://trusted.com/dashboard
Impact
- Phishing attacks using trusted domains
- Bypass domain allow-lists
- Chaining to server-side request (SSRF)
Knowledge Check
What is a primary risk posed by open redirects?
Typical Open Redirect Patterns
theoryWhere open redirects occur and how to detect them.
Typical Open Redirect Patterns
Where to find open redirects
- Login flows: ?next=/path
- Return-To parameters
- Tracking/callback URLs
Code Smell
return redirect(request.GET.get('next'))
Defenses
- Whitelist domains or internal paths
- Normalize and validate destination
- Prefer internal route names instead of raw URLs
Knowledge Check
Which prevents open redirects?
Basic Open Redirect - Redirect to Attacker
simulationExploit a naive redirect parameter to send a user to attacker domain.
Simulation Objective
Exploit a naive redirect parameter to send a user to attacker domain.
Target
/redirect?next=https://example.com
Scenario
Redirect to attacker
Phishing Simulation via Open Redirect
simulationShow how attackers make a trusted-looking link forward to evil site.
Simulation Objective
Show how attackers make a trusted-looking link forward to evil site.
Target
/redirect?next=
Scenario
Phishing link
Open Redirect Chaining to SSRF or Internal Targets
simulationUse nested redirect to reach simulated internal host.
Simulation Objective
Use nested redirect to reach simulated internal host.
Target
/redirect?next=
Scenario
Chain to internal
Bypass Attempts & URL Encodings
theoryEncoding tricks that bypass naive validation (educational only).
Bypass Attempts & URL Encodings
Bypass Tricks
- Percent-encoding
- Protocol-relative URLs (//evil.com)
- username@host patterns
- Nested redirects
Knowledge Check
Which encoding can bypass naive checks?
Open Redirect Prevention & Best Practices
theoryHow to safely handle redirects.
Open Redirect Prevention & Best Practices
Prevention
- Whitelist allowed redirect domains
- Only allow internal routes
- Normalize URLs before validation
- Optionally show confirmation for external redirects
Knowledge Check
Which is a secure redirect pattern?