GET-Based Open Redirect


The application can have redirection functionality using a get parameter.


This will redirect the user to
Here, URL is supplied as GET parameter. It may have some different names.

Attacker can use

If the server is not validating the URL parameter, then this is vulnerable to Open Redirection.

Depending on the implementation, sometime Open-Redirect can be used client-side code execution(Javascript), like


  • An attacker can use this to redirect users to a malicious site that may spread malware or may be used for phishing.


  • Avoid user-input based URL Redirections.
  • Use some internal id, which should resolve to the actual redirect URL if you need it at all.
  • Give redirect warning page and redirect only of user click the I agree button.