mediumWeb Security

Open Redirect Vulnerability Enables Phishing and Token Theft

What Is This Vulnerability?

An open redirect occurs when your application accepts a user-supplied URL in a query parameter and redirects the browser to it without validation. Attackers use this to craft links that appear to come from your trusted domain but actually send users to a malicious site, making phishing campaigns highly effective.

Why It Happens

Login flows, OAuth callbacks, and post-action redirects often use a return URL parameter for convenience. Developers trust that the parameter will contain an internal path, but without explicit validation, an attacker can supply an external URL. URL parsing edge cases (like protocol-relative URLs or encoded characters) make basic string checks unreliable.

Example Code

Vulnerableapp/api/auth/callback/route.ts
import { NextRequest, NextResponse } from "next/server";

export async function GET(request: NextRequest) {
  const returnTo = request.nextUrl.searchParams.get("returnTo") || "/";

  // Redirects to whatever URL the user provides
  return NextResponse.redirect(returnTo);
}
Fixedapp/api/auth/callback/route.ts
import { NextRequest, NextResponse } from "next/server";

const ALLOWED_HOSTS = ["myapp.com", "www.myapp.com"];

function isSafeRedirect(url: string, baseUrl: string): boolean {
  try {
    const parsed = new URL(url, baseUrl);
    return ALLOWED_HOSTS.includes(parsed.hostname);
  } catch {
    return false;
  }
}

export async function GET(request: NextRequest) {
  const returnTo = request.nextUrl.searchParams.get("returnTo") || "/";
  const baseUrl = request.nextUrl.origin;

  if (!isSafeRedirect(returnTo, baseUrl)) {
    return NextResponse.redirect(new URL("/", baseUrl));
  }

  return NextResponse.redirect(new URL(returnTo, baseUrl));
}

How Hackers Exploit It

An attacker crafts a URL like https://myapp.com/auth/callback?returnTo=https://evil.com/phish and distributes it via email or social media. Victims see the trusted domain in the link and click it. After authentication, they are silently redirected to the attacker's page, which mimics the real site and harvests credentials or session tokens.

How to Fix It

Always validate redirect URLs against an allowlist of trusted hostnames. Parse the URL using the URL constructor to handle edge cases like protocol-relative URLs and encoded characters. For internal-only redirects, only accept relative paths that start with a single forward slash and reject anything containing a double slash or external protocol.

Frequently Asked Questions

Why is an open redirect considered a security issue?
Open redirects abuse user trust in your domain. Because the initial URL points to your legitimate site, email filters and users are more likely to trust the link. The redirect then sends them to a malicious destination without any visible warning.
Is checking for https:// at the start of the URL enough?
No. An attacker can use https://evil.com which passes that check. You must parse the full URL and validate the hostname against an allowlist. Also watch for edge cases like //evil.com, which browsers interpret as a protocol-relative URL.
Can open redirects lead to token theft?
Yes. In OAuth flows, if the redirect URI is not strictly validated, an attacker can redirect the authorization code or token to their own server. This is why OAuth providers require pre-registered redirect URIs.

Related Security Topics

Insecure Cookie Flags Allow Session Hijacking and CSRF

Learn about insecure cookie flags allow session hijacking and csrf and how to fix it.

Clickjacking Vulnerability Due to Missing Frame Protection

Learn about clickjacking vulnerability due to missing frame protection and how to fix it.

Missing HTTP Security Headers Expose Application to Common Attacks

Learn about missing http security headers expose application to common attacks and how to fix it.

Check Your Code for This Vulnerability

Run a free scan to check if your site is affected by open redirect vulnerability enables phishing and token theft.