Open Redirect

When we visit, somepopularsite.com, we have some trust on that site. We know that it is not a malicious website or a not fake one.

for eg., www.facebook.com
www.google.com
www.twitter.com

If we see URL like https://m.facebook.com/story/view/?bucket_id=:bucket_id&viewer_session_id=:session_id&exit_uri=https://attacker.com We see the domain, and from that, we understood, its Facebook.com.

But, what if this URL redirects to attacker.com?

If redirected, then this is Open Redirect Vulnerability on facebook.com (Yes! This was an actual bug found on Facebook by @dwi.siswanto98 in Jan 2020)

Open Redirect Vulnerability can be classified as,

  1. GET-Based
  2. POST-Based
  3. Header-Based
  4. Flash-Based