What is Open Redirection?

Open redirection is a web security vulnerability that occurs when a website or web application redirects users to a different URL without proper validation or sanitization of the target URL. Attackers can exploit Open Redirection to trick users into visiting malicious websites or performing actions unintended by the website owner.

In an open redirection attack, an attacker typically crafts a legitimate URL hosted on the vulnerable website, but includes a malicious URL as a parameter or query string. When a user clicks on the crafted URL, the website's redirect mechanism automatically redirects the user to the malicious URL, which can lead to various malicious activities, such as phishing attacks, spreading malware, or stealing sensitive information.

Open redirection vulnerabilities commonly occur when websites use user-supplied input, such as URLs, as part of their redirect mechanism without proper validation or sanitization. To prevent open redirection attacks, web developers should validate and sanitize all user-supplied input used in redirections, and ensure that only trusted and whitelisted URLs are allowed for redirection. Additionally, it's important to implement proper authentication and authorization mechanisms to ensure that only authenticated and authorized users can perform redirects. Regular security testing, including vulnerability scanning and penetration testing, can also help identify and fix open redirection vulnerabilities in web applications.

Open Redirection Types / Possible Vectors

There are several types of open redirection vulnerabilities that can occur in web applications. These include:

1. URL-based open redirection: This is the most common type of open redirection vulnerability. It occurs when a website takes a URL or a URL parameter as input and uses it in a redirect without proper validation or sanitization. An attacker can craft a malicious URL that includes a different domain or malicious URL as a parameter which will be included in the redirect, leading to an unintended redirection to a malicious website.
2. JavaScript-based open redirection: This type of open redirection vulnerability occurs when a website uses JavaScript to perform a redirect, but the target URL is obtained from untrusted or user-controlled sources without proper validation or sanitization. An attacker can manipulate the JavaScript code or input data to execute a malicious redirect to a different domain or URL.
3. Meta refresh-based open redirection: This type of open redirection vulnerability occurs when a website uses the HTML "meta refresh" tag to redirect users to another URL automatically, and the target URL is obtained from untrusted or user-controlled sources without proper validation or sanitization. An attacker can manipulate the meta refresh tag or input data to trigger a malicious redirect to a different domain or URL.
4. Header-based open redirection: This type of open redirection vulnerability occurs when a website uses HTTP headers, such as "Location" header, to perform a redirect, but the target URL is obtained from untrusted or user-controlled sources without proper validation or sanitization. An attacker can manipulate the header value or input data to trigger a malicious redirect to a different domain or URL.
5. Parameter-based open redirection: This type of open redirection vulnerability occurs when a website uses a parameter in the URL or in a form submission as part of the redirect process, but fails to properly validate or sanitize the parameter value. An attacker can manipulate the parameter value to trigger a redirect to a malicious URL.

It's important for web developers to be aware of these different types of open redirection vulnerabilities and implement proper validation and sanitization of user-supplied input to prevent such vulnerabilities in their web applications.

How Open Redirection Works?

Here's an example of a vulnerable code in a web application that demonstrates an open redirection vulnerability using PHP:

In this example, the web application takes a target URL as a query parameter (\url\\\\) from the user and uses it in a redirect without validating or sanitizing the input. This can lead to an open redirection vulnerability, as an attacker can craft a malicious URL and pass it as the \url\\\\ parameter, leading to unintended redirection to a malicious website.

For example, an attacker could create a URL like this:

When a user clicks on this URL, the vulnerable application will automatically redirect the user to \http://malicious.com\\\\, which could be a phishing website or a site hosting malware.

Impact of Open Redirection