logo

URL Redirection to Untrusted Site ('Open Redirect')

Draft Base
Structure: Simple
Description

An open redirect vulnerability occurs when a web application uses unvalidated user input to determine the destination of a redirect, allowing an attacker to send users to an untrusted, external website.

An open redirect vulnerability occurs when a web application uses unvalidated user input to determine the destination of a redirect, allowing an attacker to send users to an untrusted, external website.
Extended Description

This flaw is common in features like login redirects, logout pages, or language selectors that take a URL parameter. Attackers exploit it by tricking users into clicking a legitimate-looking link that actually points to a malicious site, which can be used for phishing, malware distribution, or stealing session tokens via referrer headers. To prevent this, developers should avoid using user input for redirect destinations altogether. If redirects are necessary, implement an allowlist of trusted, relative URLs or site-specific paths. Never rely on client-side validation or simply checking the domain name, as these can be bypassed. Server-side validation must strictly compare the intended redirect target against a predefined list of safe destinations.
Common Consequences 2
Scope: Access Control

Impact: Bypass Protection MechanismGain Privileges or Assume Identity

The user may be redirected to an untrusted page that contains malware which may then compromise the user's system. In some cases, an open redirect can also enable the immediate download of a file without the user's permission, because the redirection to an external site may lead to endpoints on those sites that automatically trigger a download action ("drive-by download" [REF-1478]). This will expose the user to extensive risk. The user's interaction with the web server may also be compromised if the malware conducts keylogging or other attacks that steal credentials, personally identifiable information (PII), or other important data.

Scope: Access ControlConfidentialityOther

Impact: Bypass Protection MechanismGain Privileges or Assume IdentityOther

By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam. The user may be subjected to phishing attacks by being redirected to an untrusted page. The phishing attack may point to an attacker controlled web page that appears to be a trusted web site. The phishers may then steal the user's credentials and then use these credentials to access the legitimate web site. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.
Detection Methods 10
Manual Static AnalysisHigh
Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.
Automated Dynamic Analysis
Automated black box tools that supply URLs to every input may be able to spot Location header modifications, but test case coverage is a factor, and custom redirects may not be detected.
Automated Static Analysis
Automated static analysis tools may not be able to determine whether input influences the beginning of a URL, which is important for reducing false positives.
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Automated Static Analysis - Binary or BytecodeHigh
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis
Dynamic Analysis with Automated Results InterpretationHigh
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Web Application Scanner Web Services Scanner Database Scanners
Dynamic Analysis with Manual Results InterpretationHigh
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Fuzz Tester Framework-based Fuzzer
Manual Static Analysis - Source CodeHigh
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Manual Source Code Review (not inspections)
Automated Static Analysis - Source CodeHigh
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer
Architecture or Design ReviewHigh
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Formal Methods / Correct-By-Construction ``` Cost effective for partial coverage: ``` Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)
Potential Mitigations 6
Phase: Implementation

Strategy: Input Validation

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. Use a list of approved URLs or domains to be used for redirection.
Phase: Architecture and Design
Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')) when generating the disclaimer page.
Phase: Architecture and Design

Strategy: Enforcement by Conversion

When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. For example, ID 1 could map to "/login.asp" and ID 2 could map to "http://www.example.com/". Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability.
Phase: Architecture and Design
Ensure that no externally-supplied requests are honored by requiring that all redirect requests include a unique nonce generated by the application [REF-483]. Be sure that the nonce is not predictable (Use of Insufficiently Random Values).
Phase: Architecture and DesignImplementation

Strategy: Attack Surface Reduction

Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls. Many open redirect problems occur because the programmer assumed that certain inputs could not be modified, such as cookies and hidden form fields.
Phase: Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

Effectiveness: Moderate
Demonstrative Examples 2
The following code obtains a URL from the query string and then redirects the user to that URL.

Code Example:

Bad
PHP
php
The problem with the above code is that an attacker could use this page as part of a phishing scam by redirecting users to a malicious site. For example, assume the above code is in the file example.php. An attacker could supply a user with the following link:

Code Example:

Attack
bash
The user sees the link pointing to the original trusted site (example.com) and does not realize the redirection that could take place.

ID : DX-194

The following code is a Java servlet that will receive a GET request with a url parameter in the request to redirect the browser to the address specified in the url parameter. The servlet will retrieve the url parameter value from the request and send a response to redirect the browser to the url address.

Code Example:

Bad
Java
java
The problem with this Java servlet code is that an attacker could use the RedirectServlet as part of an e-mail phishing scam to redirect users to a malicious site. An attacker could send an HTML formatted e-mail directing the user to log into their account by including in the e-mail the following link:

Code Example:

Attack
HTML
html
The user may assume that the link is safe since the URL starts with their trusted bank, bank.example.com. However, the user will then be redirected to the attacker's web site (attacker.example.net) which the attacker may have made to appear very similar to bank.example.com. The user may then unwittingly enter credentials into the attacker's web page and compromise their bank account. A Java servlet should never redirect a user to a URL without verifying that the redirect address is a trusted site.
Observed Examples 4
CVE-2005-4206URL parameter loads the URL into a frame and causes it to appear to be part of a valid page.
CVE-2008-2951An open redirect vulnerability in the search script in the software allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL as a parameter to the proper function.
CVE-2008-2052Open redirect vulnerability in the software allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the proper parameter.
CVE-2020-11053Chain: Go-based Oauth2 reverse proxy can send the authenticated user to another site at the end of the authentication flow. A redirect URL with HTML-encoded whitespace characters can bypass the validation (Improper Validation of Unsafe Equivalence in Input) to redirect to a malicious site (URL Redirection to Untrusted Site ('Open Redirect'))
References 7
Exploitable Redirects on the Web: Identification, Prevalence, and Defense
Craig A. Shue, Andrew J. Kalafut, and Minaxi Gupta
https://www.cprogramming.com/tutorial/exceptions.html(2023-04-07)
ID: REF-483
Open redirect vulnerabilities: definition and prevention
Russ McRee
(IN)SECURE
07-2008
https://img2.helpnetsecurity.com/dl/insecure/INSECURE-Mag-17.pdf(2025-07-29)
ID: REF-484
Top 25 Series - Rank 23 - Open Redirect
Jason Lam
SANS Software Security Institute
25-03-2010
https://www.sans.org/blog/top-25-series-rank-23-open-redirect(2025-07-29)
ID: REF-485
OWASP Enterprise Security API (ESAPI) Project
OWASP
https://owasp.org/www-project-enterprise-security-api/(2025-07-24)
ID: REF-45
Drive-by download
Wikipedia
24-05-2025
https://en.wikipedia.org/wiki/Drive-by_download(2025-08-21)
ID: REF-1478
State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation
Gregory Larsen, E. Kenneth Hong Fong, David A. Wheeler, and Rama S. Moorthy
07-2014
https://www.ida.org/-/media/feature/publications/s/st/stateoftheart-resources-soar-for-software-vulnerability-detection-test-and-evaluation/p-5061.ashx(2025-09-05)
ID: REF-1479
D3FEND: Application Layer Firewall
D3FEND
https://d3fend.mitre.org/dao/artifact/d3f:ApplicationLayerFirewall/(2025-09-06)
ID: REF-1481
Likelihood of Exploit

Low

Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Technologies:
Web Based : Undetermined
Modes of Introduction
Architecture and Design
Implementation
Related Attack Patterns
Alternate Terms

Open Redirect

Cross-site Redirect

Cross-domain Redirect

Unvalidated Redirect

Drive-by download

an attack, sometimes enabled by open redirects, which redirects the victim to a site that automatically triggers a download action of malicious software or files
Related Weaknesses
ChildOf: Externally Controlled Reference to a Resource in Another Sphere (CWE-610)
ChildOf: Externally Controlled Reference to a Resource in Another Sphere (CWE-610)
Taxonomy Mapping
  • WASC
  • Software Fault Patterns
Notes
OtherWhether this issue poses a vulnerability will be subject to the intended behavior of the application. For example, a search engine might intentionally provide redirects to arbitrary URLs.