Home / Web Security / Open Redirect
Low Severity | OWASP A10:2021

🟢 Open Redirect

CWECWE-601: Open Redirect
OWASPA10:2021 Server-Side Request Forgery
CVSS 3.14.3 (Low)

🧠 Description

Open Redirect occurs when an application uses user-controlled input to determine the destination of a redirect. Attackers can exploit this tophish users or to bypass security controls.

Open Redirect allows:
  • Phishing attacks
  • Bypass security filters
  • Malware distribution

🔍 Detection

  • Test: ?url=http://evil.com
  • Test: ?next=google.com
  • Test: ?redirect=//evil.com

💣 Payloads

http://evil.com
//evil.com
///evil.com
javascript:alert(1)
data:text/html,<script>alert(1)</script>

🛡️ Mitigation

✅ Validate redirects: Whitelist allowed domains

✅ Use indirect references: Map URLs to IDs

✅ Sanitize input: Remove javascript: and data: protocols
Back to Web Security