Skip to main content
短.be

Open Redirect

A web application vulnerability that redirects users to any externally specified URL without validation. Exploited in phishing attacks.

Nov 15, 2025 · About 1 min read

Security

An open redirect is a vulnerability in which a web application uses a URL parameter value as a redirect destination without validating it. It is one of the major web security risks defined by OWASP (Open Web Application Security Project).

Here is a concrete example. With a URL like "https://trusted-site.com/redirect?url=https://evil-site.com", if trusted-site.com redirects to the url parameter value without validation, the user clicks what appears to be a link on a trusted domain but ends up on a malicious site.

Open redirects are exploited in phishing attacks because a trusted domain's URL serves as the entry point. Email security filters and users performing visual checks tend to judge a link as safe if it starts with a legitimate domain.

URL shortening services are inherently redirect services, making them closely related to the open redirect problem. Malicious actors using shortening services to create links to phishing sites is a real-world occurrence. As countermeasures, major shortening services implement malware scanning, blacklist matching, and splash pages (warning screens displayed before redirecting).

To prevent open redirects in your own applications, effective measures include restricting redirect destinations to a whitelist, allowing only relative URLs, and validating the redirect target's domain. Implementations that pass URL parameters directly as redirect destinations should be avoided in all cases. Related books are also available on Amazon.

Share on XHatena

Was this article helpful?

Related Terms

Phishing

A cyberattack that uses deceptive links and websites to trick users into revealing sensitive information.

Input Validation

The process of verifying that user-supplied data meets expected format and safety requirements before processing.

XSS

Cross-Site Scripting - a vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.

301 Redirect

A permanent HTTP redirect that tells browsers and search engines the resource has moved permanently to a new URL.

URL Rewrite

A server-side technique that internally maps a requested URL to a different resource without changing the URL displayed in the browser.

Client-Side Redirect

A redirect executed by the browser using HTML meta tags or JavaScript, after the initial page has been partially loaded.

Related Articles

Short URL Security Guide - Best Practices for Safe Link Sharing

A comprehensive guide to short URL security best practices. Understand the risks and learn how to share links safely and responsibly.

How to Spot and Prevent Phishing Attacks Using Short URLs

Learn to identify phishing attempts that exploit short URLs. Practical tips for protecting yourself and your organization from link-based scams.

How to Spot Suspicious URLs - 5 Checkpoints to Avoid Getting Tricked

A beginner-friendly guide to spotting phishing scams. Learn 5 easy checkpoints including the https padlock, domain reading tricks, and short URL safety.

FAQ

How dangerous is an open redirect?
On its own, it does not directly cause data breaches or system compromise, but it significantly increases the success rate of phishing attacks. Because a trusted domain's URL serves as the entry point, users are more easily deceived. OWASP classifies it as a major risk.
Is a URL shortening service a type of open redirect?
Technically it is a redirect service, but legitimate shortening services detect and block malicious URLs through malware scanning and blacklist matching. This distinguishes them from a vulnerability that redirects without restriction.
How can I check if my site has an open redirect vulnerability?
Review any endpoints that perform redirects and check whether externally supplied URLs are being set directly in the Location header without validation. Automated scanning with tools like OWASP ZAP is also effective.

Ready to create a short URL?

Shorten a URL for Free