What is Open redirect?

Updated

A bug class where an application redirects the user to a URL controlled by the attacker, typically through an unvalidated `?returnTo=` or `?next=` parameter. Used in phishing campaigns to make malicious links look legitimate.

Full explanation

Open redirect happens when an application takes a redirect target from user input (URL parameter, form field, cookie) and redirects to it without validating that the target is on the application's own domain. The attack: send a victim a phishing link `https://your-app.com/login?returnTo=https://attacker.com/fake-login`. The user trusts the your-app.com domain, completes login, then gets redirected to attacker.com which serves a credential-harvesting page. Open redirects are especially common in OAuth flows where the `redirect_uri` parameter is not strictly validated against an allowlist.

Example

After-login handler reads `returnTo` query parameter and calls `redirect(returnTo)` without validation. Fix: validate against an allowlist of known-safe paths, or restrict to relative URLs only (rejecting any value containing `://` or starting with `//`).

Related

Guide
OAuth + OIDC security — the PKCE and state checks you cannot skip

FAQ

Why is open redirect dangerous if it just redirects? My app's data is safe.

The damage is to your users + your reputation. An open redirect on your-app.com is used in phishing campaigns — the attacker's email links look like your-app.com (they ARE your-app.com), users trust them, and the redirect lands them on attacker-controlled credential-harvesting pages. Your domain becomes an unwilling phishing accomplice; users learn to distrust your-app.com.

How do OAuth flows interact with open-redirect risk?

OAuth's `redirect_uri` parameter is the canonical open-redirect surface. The OAuth provider redirects the user back to the URI specified in the request; if your provider does not strictly allowlist URIs, an attacker can craft an OAuth flow that redirects to attacker.com after the user authenticates. The fix is allowlist-only redirect_uri validation, with the allowlist registered out-of-band (not in the OAuth request itself).