Open Redirect

Open redirects are the user-trust equivalent of borrowing your brand. The user clicks a link because it starts with yourdomain.com — same TLS cert, same favicon, same muscle memory. Then your app dutifully redirects them to attacker.tld, where a pixel-perfect login page completes the heist. Browsers and email clients show your domain, not the destination, so the URL looks safe under inspection. Most security teams treat open redirects as low-severity bugs in isolation. They're not — they're the loading dock for every credential phishing campaign that wants legitimacy.

Open redirects appear when a user-controlled destination is trusted without a strict allowlist. They are commonly abused for phishing, OAuth handoff abuse, and bypassing domain-based trust checks.

Phishing leverage at scale. The link starts with your domain, has a valid TLS cert, passes link-preview cards in Slack and email clients with your favicon and OG metadata. End-users — who have been told for two decades to 'check the URL before clicking' — are tricked precisely because they did. Reputation impact compounds with deliverability damage if your domain gets associated with phishing campaigns. In OAuth contexts, an open redirect on `redirect_uri` is direct credential theft.

Validate redirect targets against an allowlist of relative paths or specific hostnames. The right shape: `if (!isSafe(next)) next = '/'`. The wrong shape: a regex that 'looks for' http:// at the start. Reject targets starting with `//` (protocol-relative), `http://`, `https://anything-not-yours`, `javascript:`, `data:`, `vbscript:`. For OAuth, configure the IdP with exact-match `redirect_uri` allowlisting — never wildcards, never partial matches. For OAuth public clients, use PKCE so an intercepted code is useless without the verifier. As a defense-in-depth layer, surface a confirmation page for any external redirect: 'You are being redirected to attacker.tld — Continue?' adds friction the phishing kit didn't account for. Audit every place your code calls `res.redirect(userInput)` or `window.location = userInput` — the bugs cluster around recently-added auth flows and 'just one more' redirect parameters.

Open redirects are rated low-severity in isolation and high-severity in practice. The bug is the lab; the impact is in the wild. Treat any user-controlled redirect target as a security boundary, not a routing convenience.