Open Redirect

An open redirect occurs when an application redirects to a URL from user-controlled input without validation. Attackers use trusted domain names in phishing URLs to increase click-through rates.

Vulnerable redirect:

@app.route("/login")
def login_redirect():
    next_url = request.args.get("next", "/")
    # After successful login:
    return redirect(next_url)  # No validation!

An attacker crafts: https://bank.com/login?next=https://attacker.com/fake-banking-page

The victim sees a legitimate bank.com URL in the initial link, but after "logging in" is redirected to the attacker's phishing site.

OAuth token theft via open redirect:

If an OAuth authorization server accepts redirect_uri values matching an open redirect endpoint, an attacker can redirect the authorization code to their server: redirect_uri=https://victim.com/redirect?to=https://attacker.com

The safest fix is to only redirect to pre-approved destinations. For post-login redirects, verify the destination is on the same site.

Same-site redirect validation:

from urllib.parse import urlparse

def safe_redirect(next_url):
    if not next_url:
        return "/"
    parsed = urlparse(next_url)
    # Allow only relative URLs or same-origin
    if parsed.netloc and parsed.netloc != "myapp.com":
        return "/"  # Reject external redirects
    return next_url

@app.route("/login", methods=["POST"])
def login():
    # ... authenticate ...
    return redirect(safe_redirect(request.args.get("next")))

Allowlist of valid destinations:

ALLOWED_REDIRECTS = [
    "/dashboard",
    "/profile",
    "/settings",
]

def safe_redirect(next_url):
    if next_url in ALLOWED_REDIRECTS:
        return next_url
    return "/dashboard"  # Default safe destination

Defense checklist:

• Validate redirect URLs are relative or match your origin
• Use an allowlist of permitted redirect destinations
• Never trust user-supplied hostnames in redirect targets
• Log and alert on redirect attempts to external domains