The Risk
Apps often redirect after login or an action, using a destination taken from a parameter so the user lands where they began. If that destination is not validated, an attacker crafts a link to your trusted domain that bounces the victim to a malicious site. This is an open redirect. It lends credibility to phishing because the link starts on a domain the user trusts, and it can be chained to steal tokens passed through the flow.
The danger is treating any user supplied URL as a safe place to send people.
The Defense
- Avoid external redirect targets from input. Redirect to fixed internal paths chosen by the server.
- If a target must vary, use an allowlist of permitted destinations or a mapping from a short key to a known URL.
- Accept only relative paths and reject anything that names another host or scheme.
- Show an interstitial warning when leaving to an external site is genuinely required.
Key idea
Validate redirect destinations against an allowlist or restrict them to internal relative paths so your domain cannot be used to bounce victims to attacker sites.