Series: Notes on Web Hacking 101

Open Redirect Vulnerability

An open redirect vulnerability is when a victim follows a particular URL for a given website and that website then instructs the user’s browser to continue on to an entirely different URL (on a separate domain).

Example redirect website: https://www.yahoo.com?redirect_to=https://finance.yahoo.com

In this example, visiting the URL Yahoo receives a GET HTML request and uses the “redirect_to” parameter to discover where the visitor’s browser should be redirected to. Yahoo would return a 302 HTTP response (a 302 redirect is used when you want to temporarily redirect a URL, as opposed to a 301 redirect – a permanent redirect), instructing the visitor’s web browser to make a GET request to: https://finance.yahoo.com, the value of the parameter “redirect_to”.

For the sake of exploiting this vulnerability, suppose now you change the URL to: https://www.yahoo.com?redirect_to=https://www.evil.com

If Yahoo was not validating that the “redirect_to” parameter was for one of their own legitimate sites, this could be vulnerable for an open redirect attack, effectively returning an HTTP response instructing the visitor’s web browser to make a GET request to https://www.evil.com. That doesn’t sound good.

Open redirects allow a malicious attacker to redirect people unknowingly to a malicious website. Finding them, as these examples show, often requires keen observation. Redirect parameters are sometimes easy to spot with names like redirect_to=, domain_name=, checkout_url=, and so on. Whereas other times they may have less obvious names like r=, u=, and so on. This type of vulnerability relies on an abuse of trust, where victims are tricked into visiting an attacker’s site thinking they will be visiting a site they recognize. When you spot likely vulnerable parameters, be sure to test them out thoroughly and add special characters, like a period, if some part of the URL is hard-coded.

Peter Yaworski