FixVibe

// probes / spotlight

Open Redirect

Your /redirect?url=… that doesn't validate the destination is a phishing kit.

Kaitnya

Open redirects are the user-trust equivalent of borrowing your brand. The user clicks a link because it starts with yourdomain.com β€” same TLS cert, same favicon, same muscle memory. Then your app dutifully redirects them to attacker.tld, where a pixel-perfect login page completes the heist. Browsers and email clients show your domain, not the destination, so the URL looks safe under inspection. Most security teams treat open redirects as low-severity bugs in isolation. They're not β€” they're the loading dock for every credential phishing campaign that wants legitimacy.

Cara kerjanya

Open redirects appear when a user-controlled destination is trusted without a strict allowlist. They are commonly abused for phishing, OAuth handoff abuse, and bypassing domain-based trust checks.

Radius dampak

Phishing leverage at scale. The link starts with your domain, has a valid TLS cert, passes link-preview cards in Slack and email clients with your favicon and OG metadata. End-users β€” who have been told for two decades to 'check the URL before clicking' β€” are tricked precisely because they did. Reputation impact compounds with deliverability damage if your domain gets associated with phishing campaigns. In OAuth contexts, an open redirect on `redirect_uri` is direct credential theft.

// apa yang fixvibe periksa

Apa yang FixVibe periksa

FixVibe checks this class with verified-domain active testing that is bounded, non-destructive, and evidence-driven. Public reports describe the affected surface and remediation. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

Pertahanan kokoh

Validate redirect targets against an allowlist of relative paths or specific hostnames. The right shape: `if (!isSafe(next)) next = '/'`. The wrong shape: a regex that 'looks for' http:// at the start. Reject targets starting with `//` (protocol-relative), `http://`, `https://anything-not-yours`, `javascript:`, `data:`, `vbscript:`. For OAuth, configure the IdP with exact-match `redirect_uri` allowlisting β€” never wildcards, never partial matches. For OAuth public clients, use PKCE so an intercepted code is useless without the verifier. As a defense-in-depth layer, surface a confirmation page for any external redirect: 'You are being redirected to attacker.tld β€” Continue?' adds friction the phishing kit didn't account for. Audit every place your code calls `res.redirect(userInput)` or `window.location = userInput` β€” the bugs cluster around recently-added auth flows and 'just one more' redirect parameters.

Intinya

Open redirects are rated low-severity in isolation and high-severity in practice. The bug is the lab; the impact is in the wild. Treat any user-controlled redirect target as a security boundary, not a routing convenience.

// run it on your own app

Terus rilis sementara FixVibe yang berjaga.

FixVibe menguji permukaan publik app kamu sebagaimana seorang penyerang akan melakukannya β€” tanpa agent, tanpa instalasi, tanpa kartu. Kami terus meneliti pola kerentanan baru dan mengubahnya jadi check praktis serta perbaikan siap-tempel untuk Cursor, Claude, dan Copilot.

Probe aktif
127
tes yang dijalankan di kategori ini
modules
48
check probe aktif khusus
setiap pemindaian
487+
tes di seluruh kategori
  • Gratis β€” tanpa kartu kredit, tanpa instalasi, tanpa ping Slack
  • Cukup tempel URL β€” kami crawl, probe, dan laporkan
  • Temuan berperingkat severity, di-dedupe jadi sinyal saja
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
Jalankan scan gratis β†’

// latest checks Β· practical fixes Β· ship with confidence

Open Redirect β€” Sorotan Kerentanan | FixVibe Β· FixVibe