Open Redirect is a vulnerability that occurs when a web application accepts untrusted input to construct a URL for redirection without proper validation. Attackers can exploit this flaw to redirect users to malicious sites, enabling phishing, credential theft, malware delivery, and other social engineering attacks. Open Redirects are particularly dangerous when combined with legitimate domains, as users may trust the original site and fall victim to attacks.

Common vulnerable patterns:

• Using query parameters directly in redirect functions, e.g., window.location.href = request.query["url"] or Response.Redirect(Request["next"]).
• Accepting user input for login success, logout, or post-payment redirects without validating the target URL.
• Lack of whitelisting or domain verification for redirect targets.
• Constructing URLs dynamically without sanitization or canonicalization.

Impacts:

• Phishing: Users are tricked into visiting malicious websites that appear trustworthy.
• Malware Delivery: Redirected users may be served malicious content or drive-by downloads.
• Reputation Damage: Users may associate attacks with the legitimate site.
• Bypass Security Controls: Attackers may exploit open redirects to bypass domain-based restrictions or filters.

Detection indicators:

• Parameters in URLs used for redirection that can accept arbitrary input.
• Automated security scanners detecting redirect targets to attacker-controlled domains.
• Testing with known payloads (e.g., ?next=http://evil.com) resulting in successful redirection.

Mitigation strategies focus on validating and controlling the target of redirects:

1. Use a Whitelist of Trusted URLs or Paths
   Only allow redirects to predefined paths or domains. Map user-supplied tokens or keys to safe URLs on the server side.

2. Avoid Direct User Input in Redirects
   Do not directly concatenate or use request parameters for redirect URLs. Treat user input as a reference rather than a literal URL.

3. Canonicalize and Validate URLs
   Ensure the target URL is within the same domain or part of allowed domains. Reject inputs that point to external or untrusted hosts.

4. Relative Paths Instead of Full URLs
   Prefer relative paths for internal redirects (e.g., /dashboard) instead of full URLs.

5. Encode Redirect Parameters
   When passing URLs as query parameters, encode and validate them to prevent manipulation.

6. User Warnings
   If redirects to external sites are unavoidable, consider showing a warning page informing users they are leaving the trusted domain.

7. Security Testing and Code Review
   Include redirect validation checks during code review and penetration testing. Test with multiple URL encoding variations to ensure robustness.

8. Monitor and Log Redirect Usage
   Track redirect parameters and access patterns to detect abnormal redirection activity.

• CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
• WASC-38: URL Redirector Abuse
• CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N