{ "slug": "open_redirect", "term": "Open Redirect", "category": "security", "difficulty": "beginner", "short": "A redirect destination taken from user input can send victims to attacker-controlled sites, enabling phishing.", "long": "An open redirect lets an attacker craft a URL on your trusted domain that immediately redirects to a malicious site. Because the initial URL appears legitimate (e.g. yourbank.com/login?next=evil.com), victims are more likely to click it. Attackers use open redirects in phishing campaigns and OAuth token theft. Mitigation: validate redirect targets against an explicit allowlist of permitted paths, or restrict to relative URLs only.", "aliases": [ "unvalidated redirect", "open redirector", "URL redirect vulnerability" ], "tags": [ "phishing", "owasp-top10", "cwe-601" ], "misconception": "Open redirects are low severity because they just redirect users. They are routinely chained with phishing (trusted domain in the URL), OAuth redirect_uri bypass, and SSRF — making them a common link in higher-severity attack chains.", "why_it_matters": "An open redirect lends your trusted domain to phishing campaigns — the victim sees a legitimate URL before being redirected to a malicious site.", "common_mistakes": [ "Using $_GET['redirect'] or $_GET['next'] directly in header('Location: ...') without validation.", "Validating that the URL starts with your domain using strpos() — trivially bypassed with your-domain.evil.com.", "Allowing protocol-relative URLs (//evil.com) which browsers interpret as full redirects.", "Forgetting that JavaScript redirects (window.location) are equally exploitable if fed from user input." ], "when_to_use": [], "avoid_when": [], "related": [ "header_injection" ], "prerequisites": [ "input_validation", "allowlist_vs_blocklist" ], "refs": [ "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "https://cwe.mitre.org/data/definitions/601.html" ], "bad_code": "// Redirects to any URL the user provides\n$url = $_GET['next'];\nheader('Location: ' . $url);", "good_code": "// Allowlist approach\n$allowed = ['/dashboard', '/profile', '/orders'];\n$next = $_GET['next'] ?? '/dashboard';\n$target = in_array($next, $allowed, true) ? $next : '/dashboard';\nheader('Location: ' . $target);\n\n// Or validate it's the same host\n$parsed = parse_url($next);\nif (!empty($parsed['host'])) { $next = '/dashboard'; } // reject absolute URLs", "quick_fix": "Never redirect to a URL taken from user input; use an allowlist of permitted destinations or internal path-only redirects", "severity": "medium", "effort": "low", "created": "2026-03-15", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/open_redirect", "html_url": "https://codeclaritylab.com/glossary/open_redirect", "json_url": "https://codeclaritylab.com/glossary/open_redirect.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[Open Redirect](https://codeclaritylab.com/glossary/open_redirect) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/open_redirect" } } } }