保護DataHogo
Security Encyclopedia/Race Conditions & Logic
mediumCWE-601A01:2021

Open Redirect

Redirecting users to URLs from unvalidated query parameters allows attackers to craft phishing links that appear to come from your trusted domain.

How It Works

Open redirects occur when an application takes a URL from user input (query parameter, form field, or header) and redirects the user to it without validation. Attackers exploit this for phishing: they craft a link like https://yourapp.com/login?redirect=https://evil.com/fake-login. The victim sees the trusted domain in the URL and clicks. After logging in to the legitimate site, they are redirected to the attacker's phishing page that mimics the original site and asks for additional information. OAuth flows are especially vulnerable — an open redirect on the OAuth callback URL can leak authorization codes to attacker-controlled servers.

Vulnerable Code
app.get('/login', (req, res) => {
  // After authentication...
  const redirectUrl = req.query.redirect || '/';
  res.redirect(redirectUrl);
  // Attacker: /login?redirect=https://evil.com
});
Secure Code
app.get('/login', (req, res) => {
  const redirectUrl = req.query.redirect || '/';
  const url = new URL(redirectUrl, `${req.protocol}://${req.get('host')}`);
  // Only allow redirects to our own domain
  if (url.origin !== `${req.protocol}://${req.get('host')}`) {
    return res.redirect('/');
  }
  res.redirect(url.pathname + url.search);
});

Real-World Example

In 2023, an open redirect vulnerability in Microsoft's login flow was used in a large-scale phishing campaign. Attackers sent emails with links to legitimate Microsoft URLs that redirected to credential harvesting pages. Because the initial URL was microsoft.com, email security filters did not flag the messages.

How to Prevent It

  • Validate redirect URLs against an allowlist of permitted domains
  • Only allow relative path redirects and strip the protocol and host
  • Use URL parsing to verify the origin matches your application domain
  • Never pass full URLs as redirect parameters — use path-only values

Affected Technologies

Node.jsReactNext.jsPythonGoJavaPHP

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Race Condition in Payments

high

Read-modify-write payment operations without database transactions allow attackers to exploit timing windows and spend the same balance multiple times.

CWE-362A04:2021

Price Manipulation

critical

Accepting prices from the client instead of looking them up server-side allows attackers to modify checkout requests and purchase items at any price they choose.

CWE-472A04:2021

Feature Flags Exposed

low

Feature flags included in the frontend JavaScript bundle reveal unreleased features, internal testing configurations, and potential attack surfaces to anyone inspecting the code.

CWE-200A05:2021

Debug Routes in Production

medium

Development and testing routes like /debug, /test, /seed, or /api/dev left active in production expose internal data, bypass authentication, or allow state manipulation.

CWE-489A05:2021