The application can have redirection functionality using a get parameter.
This will redirect the user to
URL is supplied as GET parameter. It may have some different names.
Attacker can use
If the server is not validating the
URL parameter, then this is vulnerable to Open Redirection.
- An attacker can use this to redirect users to a malicious site that may spread malware or may be used for phishing.
- Avoid user-input based URL Redirections.
- Use some internal id, which should resolve to the actual redirect URL if you need it at all.
- Give redirect warning page and redirect only of user click the