保護DataHogo
Security Encyclopedia/Frontend & Browser
mediumCWE-601A01:2021

Client-Side Open Redirect

JavaScript that redirects users to URLs taken from query parameters or URL fragments without validation, enabling phishing attacks using your trusted domain as a launchpad.

How It Works

Users trust links from domains they recognize. An open redirect lets an attacker craft a URL like `https://yourapp.com/login?next=https://evil.com/fake-login`. Your app redirects to evil.com after login, and the victim — who saw your domain in the URL — trusts the destination. This is phishing using your reputation.

Vulnerable Code
// BAD: redirect to unvalidated URL from query param
const { searchParams } = new URL(window.location.href);
const next = searchParams.get('next');
if (next) window.location.href = next; // attacker controls destination
Secure Code
// GOOD: only allow relative paths or same-origin destinations
const { searchParams } = new URL(window.location.href);
const next = searchParams.get('next') ?? '/dashboard';
// Ensure it's a relative path, not an external URL
const isRelative = next.startsWith('/') && !next.startsWith('//');
window.location.href = isRelative ? next : '/dashboard';

Real-World Example

Open redirect + OAuth is a classic attack chain: the attacker sets the OAuth callback's 'redirect_uri' to your open redirect URL pointing to their site. Your app handles the OAuth callback and then redirects the access token to the attacker's server. OWASP documents this extensively.

How to Prevent It

  • Only allow relative paths (starting with /) as redirect destinations
  • If external redirects are needed, maintain an explicit allowlist of trusted domains
  • Check that the destination URL has the same origin as your app using the URL constructor
  • Never use unvalidated URL parameters as redirect destinations after OAuth callbacks

Affected Technologies

ReactNext.jsjavascript

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

DOM-Based XSS

high

Malicious scripts executed by reading attacker-controlled data from the URL or browser APIs and writing it to the DOM using dangerous sinks like innerHTML or document.write.

CWE-79A03:2021

Stored XSS

high

User-supplied content saved to the database without sanitization and rendered in the browser as HTML, allowing persistent script injection that executes for every user who views the content.

CWE-79A03:2021

PostMessage Without Origin Verification

medium

window.addEventListener('message') handlers that process messages without checking the event.origin, allowing any website to send commands to your app's message handler.

CWE-346A01:2021

Advanced Clickjacking

medium

Absence of both X-Frame-Options and CSP frame-ancestors headers, combined with no client-side frame-busting logic, leaving the app fully embeddable in malicious iframes.

CWE-1021A05:2021