security open redirect

Open Redirect

Open Redirect Security Flaw

Posted by Portilha Blog on Monday, January 17, 2011

Open Redirect

Open redirect (CWE-601) is a security flaw in a web application that is expose by accepting a redirect url from the user and failing to properly validate that same url, this type of flaw is also known as unvalidated redirects and forwards. Below are listed samples of code that expose an open redirect flaw in several programming languages by accepting and failing to correctly validate the parameter introduced by the user before sending the redirect action to the client.

CSharp (C#)

if (!String.IsNullOrEmpty(returnUrl))  {    
      Response.Redirect(returnUrl);  
}  else  {  
       Response.Redirect("login.aspx");  
}

Java

response.sendRedirect(request.getRequestUrl().toString());

Node.JS

app.route('/login', function (req, res, next) {
   var redirect = req.query.redirect;
   return res.redirect(redirect);
}

The vulnerability can be exploited in a phishing attack using the trust that users have on the web application domain, redirecting them to a different web app that looks identical to the website, that will prompt for the user credentials recording them on the attacker web app, this will allow the attacker to gain access to the legitim web app impersonating the user that fall in the phishing attack. Another type of potential consequence is the access to a part of the app where the user doesn’t have authorization, if the permissions are not properly verified in the forward url.

Sample of an open redirect attack redirecting the user to the fake site www.evilsite.com

https://www.yourapp.com/login.aspx?ReturnURL=%77%77%77%2e%65%76%69%6c%73%69%74%65%2e%63%6f%6d

This type of attack also damages the reputation of the web app since it appears to be the malicious attacker. 1

Mitigate

The easiest way to mitigate or prevent an open redirect attack from happening, is to not accept the user to insert the url where the app should redirect to. If the usage of redirects or forwards are needed, a way to protect against this type of flaw is to assume that all user input is malicious and validate that the url is valid, that it is internal to the domain or it belongs to a trusted domain (whitelist), and that the user has authorization to access that local url. Below is simple C# code sample that can help prevent this type of flaw,

CSharp (C#) 2

The ASP.NET MVC 3 UrlHelper static method IsLocalUrl protects users from being inadvertently redirected to a malicious site.

if(Url.IsLocalUrl(returnUrl))
       Response.Redirect(returnUrl);

And all controller actions should have an Authorize attribute and permissions.

Find out more at

  1. https://www.hacksplaining.com/exercises/open-redirects ↩︎

  2. https://docs.microsoft.com/en-us/aspnet/core/security/preventing-open-redirects ↩︎

FEATURED TAGS