Open redirect vulnerability is exploited when the client is redirected to a domain different than the one they intended to visit. Though they are not considered high impact security risks, for beginners there are valuable lessons in open redirects.
Open redirect is exploitable if a site trusts attacker’s redirection which can be through manipulating window location property of DOM, URL parameters or
<meta> refresh tags.
Because redirections are often utilized to direct clients to appropriate resources, if developers aren’t carefully validating redirection requests, open redirection vulnerabilities can occur.
Let’s assume a site redirects the client through a URL parameter as in following example: www.site.com/?redirect_url=https://shop.site.com, if there is a vulnerability an attacker can simply change the URL following the redirect_url parameter to their own site and thus redirect victim site’s traffic to their own. Note that, parameter doesn’t have to redirect_url, it is just placeholder in this example. It could be anything, but some common ones are redirect, url, forward_url, redirect_url and so on.
As discussed, changing parameters is just one way of exploting open redirect vulnerability. One way to do this is by changing the content attribute of
<meta> tag. For example let’s assume the following
<meta> tag is injected to a victim’s page.
<meta http-equiv="refresh" content="0;url=http://www.attacker.com"/>. This tells the browser to refresh to page after 0 seconds, and redirect the client to attacker.com. Alternatively, with script injection, it is also possible to use
window.location property of the DOM to redirect users. There are multiple ways to write this, but the simplest is
window.location = http://www.attacker.com.