External Redirect

This detector identifies open redirect vulnerabilities where user-supplied input controls the destination of HTTP redirects. The application accepts external URLs as redirect targets without proper validation, allowing attackers to craft malicious links that appear to originate from the trusted domain but redirect users to attacker-controlled sites. While URL redirectors serve legitimate purposes such as resource relocation, load balancing, and link tracking, unvalidated redirects create opportunities for phishing and social engineering attacks.

Unvalidated redirects allow attackers to craft URLs on the trusted domain that redirect victims to phishing sites or malware distribution points. Users trust links appearing to originate from legitimate domains and are less likely to scrutinize the redirect destination. Attackers exploit this trust by embedding malicious redirect URLs in phishing emails, social media posts, or compromised websites. The vulnerability amplifies other attacks by providing a trusted initial landing page before the malicious redirect occurs.

Implement an allow list of approved destination domains or URLs for redirects. Use indirect reference mapping where user-supplied values are mapped to predefined redirect destinations through numeric IDs or tokens rather than accepting raw URLs. Validate that redirect URLs belong to the same domain or to explicitly approved external domains. If external redirects are necessary, display an intermediate warning page informing users they are leaving the trusted site, requiring explicit confirmation before proceeding. Avoid passing user-controlled data directly to redirect functions. Use server-side validation to ensure redirect parameters conform to expected patterns and reject any input containing absolute URLs or protocol handlers unless explicitly allowed.