Skip to content

Open Redirect

What does this mean ?

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application.

What can happen ?

The impacts can be many, and vary from theft of information and credentials, to the redirection to malicious websites containing attacker-controlled content, which in some cases even cause XSS attacks. So even though an open redirection might sound harmless at first, the impacts of it can be severe should it be exploitable.

Recommendation

  • You can prevent redirects to other domains by checking the URL being passed to the redirect function.
  • Make sure all redirect URLs are relative paths – i.e. they start with a single / character.

Sample Code

Vulnerable :

string url = request.QueryString["url"];
Response.Redirect(url);

Non Vulnerable :

Response.Redirect("~/folder/Login.aspx")

Vulnerable :

response.sendRedirect(request.getParameter("url"));

Non Vulnerable :

response.sendRedirect("http://www.mysite.com");

Vulnerable :

$redirect_url = $_GET['url'];
header("Location: " . $redirect_url);

Non Vulnerable :

/* Redirect browser */
header("Location: http://www.mysite.com");
/* Exit to prevent the rest of the code from executing */
exit;

References