1. Introduction
An Open Redirect vulnerability occurs when a web application accepts a parameter value that allows redirection to unrestricted locations. This can be used by attackers to trick users into visiting malicious websites, appearing legitimate because the redirect originates from a trusted domain. Web applications using URL redirects are commonly affected. A successful exploit could lead to phishing attacks and compromise user credentials or systems. Confidentiality, integrity, and availability may all be impacted depending on the attacker’s goals.
2. Technical Explanation
The root cause is typically a lack of validation on user-supplied input used in redirect URLs. An attacker can manipulate this input to point to an external, malicious site. Exploitation requires the application to accept and process a URL parameter without proper sanitisation or whitelisting.
- Root cause: Missing input validation on redirect parameters.
- Exploit mechanism: An attacker crafts a malicious URL containing a redirect parameter pointing to their controlled site. When a user clicks this link, they are redirected to the attacker’s site. For example, an application uses
https://example.com/redirect?url=https://attacker.comand the attacker changes it tohttps://example.com/redirect?url=https://evil.com. - Scope: Any web application using URL redirection functionality is potentially affected, regardless of platform or service.
3. Detection and Assessment
Confirm vulnerability by testing redirect functionality with external URLs. A quick check involves manually attempting to redirect to a known malicious domain. Thorough assessment requires analysing the source code for input validation routines related to redirects.
- Quick checks: Attempt redirection using a URL like
https://example.com/redirect?url=http://evil.comand observe if the browser redirects to evil.com. - Scanning: Burp Suite or OWASP ZAP can be used with active scanning rules for Open Redirects. These are examples only, results require manual verification.
- Logs and evidence: Check web server access logs for redirect requests containing external URLs. Look for patterns like
GET /redirect?url=http://.
curl -I https://example.com/redirect?url=http://evil.com4. Solution / Remediation Steps
Restrict redirect parameters to paths within the application. If relative paths are accepted, explicitly prepend the base path. This prevents attackers from directing users to external sites.
4.1 Preparation
- Ensure you have access to the source code repository for roll back purposes. A roll back plan involves restoring the previous version of the code or configuration.
- Change windows should be scheduled during off-peak hours and require approval from the application owner.
4.2 Implementation
- Step 1: Modify the redirect functionality to validate the input URL parameter.
- Step 2: Implement a whitelist of allowed domains or paths for redirection.
- Step 4: Test the changes thoroughly with both valid and invalid URLs.
4.3 Config or Code Example
Before
// Insecure redirect code (PHP example)
$redirectUrl = $_GET['url'];
header("Location: " . $redirectUrl);
After
// Secure redirect code (PHP example)
$allowedDomains = ['example.com', 'internal.example.net'];
$redirectUrl = $_GET['url'];
if (strpos($redirectUrl, '/') === 0) { // Relative path
$redirectUrl = '/'.$redirectUrl;
} elseif (!in_array(parse_url($redirectUrl, PHP_URL_HOST), $allowedDomains)) {
// Log the attempt and return an error.
error_log("Invalid redirect URL attempted: " . $redirectUrl);
die('Invalid Redirect');
}
header("Location: " . $redirectUrl);
4.4 Security Practices Relevant to This Vulnerability
List only practices that directly address this vulnerability type. Use neutral wording and examples instead of fixed advice. For example: least privilege, input validation, safe defaults, secure headers, patch cadence. If a practice does not apply, do not include it.
- Practice 2: Least Privilege – Limit the permissions of accounts that can modify redirect configurations to reduce the impact if compromised.
4.5 Automation (Optional)
# Example Bash script to check for vulnerable redirect parameters in application files
find /path/to/application -type f -name "*.php" | grep -E '$_GET["url"]'
# This script identifies files containing the vulnerable parameter, but does not fix them. Manual review and remediation are required.5. Verification / Validation
Confirm the fix by attempting to redirect to a known malicious domain again. Verify that the application blocks the redirection and displays an error message or redirects to a safe location. A smoke test should confirm core functionality remains operational.
- Post-fix check: Attempt redirection using
https://example.com/redirect?url=http://evil.com. Expected output is an error message or no redirect occurring. - Re-test: Re-run the quick check from section 3 to confirm that the application no longer redirects to evil.com.
- Monitoring: Monitor web server logs for failed redirect attempts containing external URLs. Example query:
grep "Invalid Redirect" /var/log/apache2/error.log.
curl -I https://example.com/redirect?url=http://evil.com6. Preventive Measures and Monitoring
Suggest only measures that are relevant to the vulnerability type. Use “for example” to keep advice conditional, not prescriptive.
- Baselines: Update security baselines or policies to include requirements for input validation on all URL parameters used in redirects. For example, a CIS control related to secure coding practices.
- Pipelines: Add Static Application Security Testing (SAST) tools to the CI/CD pipeline to identify vulnerable redirect code during development.
- Asset and patch process: Implement a regular review cycle for application configurations and dependencies to ensure timely patching of security vulnerabilities.
7. Risks, Side Effects, and Roll Back
- Risk or side effect 2: Changes to redirect logic could introduce compatibility issues with existing integrations. Mitigation: Review and test all related components.
- Roll back: Restore the previous version of the application code from the backup created in step 4.1. Stop and restart affected services if necessary.
8. References and Resources
Link only