Open redirect is a security vulnerability (CWE-601: URL redirection to untrusted site), that can be abused by attackers to forward users to dangerous pages.
A web application receives a query parameter with a location, which is normally some kind of internal resource or URL, and sends a HTTP response with status code 301 or 302 with the location query parameter as ‘Location’ header. The browser follows this redirect. An example of such an URL is https://www.example.org/verify?redirect=success.html
If the application is vulnerable to the open redirect vulnerability, an attacker can pass a malicious URL as redirect parameter: https://www.example.org/verify?redirect=www.evil-page.com
If a client clicks this link, he will be redirected to evil-page.com. If the domain example.org would belong to a trusted company or organization, attackers could use those in phishing mails to gain victims trust.
To prevent such a vulnerability, the redirect parameter needs to be checked.
We discovered such an open redirect vulnerability in one of Vodafones URLs that is used to verify customer emails. This is a serious security risk, because Vodafone uses this URL to verify legacy customers data, so no one would expect an redirect to a malicious page when receiving such an URL from Vodafone.
More details are available in the security advisory EXX-2021-01:Advisory-EXX-2021-01
Show all posts by Sebastian Schwegler