FixVibe

// probes / spotlight

Open Redirect

Your /redirect?url=… that doesn't validate the destination is a phishing kit.

The hook

Open redirects are the user-trust equivalent of borrowing your brand. The user clicks a link because it starts with yourdomain.com — same TLS cert, same favicon, same muscle memory. Then your app dutifully redirects them to attacker.tld, where a pixel-perfect login page completes the heist. Browsers and email clients show your domain, not the destination, so the URL looks safe under inspection. Most security teams treat open redirects as low-severity bugs in isolation. They're not — they're the loading dock for every credential phishing campaign that wants legitimacy.

Cum funcționează

Open redirects appear when a user-controlled destination is trusted without a strict allowlist. They are commonly abused for phishing, OAuth handoff abuse, and bypassing domain-based trust checks.

The blast radius

Phishing leverage at scale. The link starts with your domain, has a valid TLS cert, passes link-preview cards in Slack and email clients with your favicon and OG metadata. End-users — who have been told for two decades to 'check the URL before clicking' — are tricked precisely because they did. Reputation impact compounds with deliverability damage if your domain gets associated with phishing campaigns. In OAuth contexts, an open redirect on `redirect_uri` is direct credential theft.

// what fixvibe checks

What FixVibe checks

FixVibe checks this class with verified-domain active testing that is bounded, non-destructive, and evidence-driven. Public reports describe the affected surface and remediation. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

Ironclad defenses

Validate redirect targets against an allowlist of relative paths or specific hostnames. The right shape: `if (!isSafe(next)) next = '/'`. The wrong shape: a regex that 'looks for' http:// at the start. Reject targets starting with `//` (protocol-relative), `http://`, `https://anything-not-yours`, `javascript:`, `data:`, `vbscript:`. For OAuth, configure the IdP with exact-match `redirect_uri` allowlisting — never wildcards, never partial matches. For OAuth public clients, use PKCE so an intercepted code is useless without the verifier. As a defense-in-depth layer, surface a confirmation page for any external redirect: 'You are being redirected to attacker.tld — Continue?' adds friction the phishing kit didn't account for. Audit every place your code calls `res.redirect(userInput)` or `window.location = userInput` — the bugs cluster around recently-added auth flows and 'just one more' redirect parameters.

The takeaway

Open redirects are rated low-severity in isolation and high-severity in practice. The bug is the lab; the impact is in the wild. Treat any user-controlled redirect target as a security boundary, not a routing convenience.

// run it on your own app

Keep shipping while FixVibe keeps watch.

FixVibe pressure-tests the public surface of your app the way an attacker would — no agent, no install, no card. We keep researching new vulnerability patterns and turn them into practical checks and paste-ready fixes for Cursor, Claude, and Copilot.

Probe active
103
tests fired in this category
modules
27
dedicated probe active checks
every scan
384+
tests across all categories
  • Free — no credit card, no install, no Slack ping
  • Just paste a URL — we crawl, probe, and report
  • Severity-graded findings, deduped to signal only
  • Current, AI-ready fix prompts you can paste into Cursor, Claude, Copilot
Run a free scan

// latest checks · practical fixes · ship with confidence

Open Redirect — Vulnerability Spotlight | FixVibe · FixVibe