Open Redirect
“Open redirect” is a type of vulnerability in computer systems that can be used by attackers to trick users into visiting malicious websites or to steal their personal information. The vulnerability occurs when a website or application allows a user to redirect to an external website by specifying a URL as a parameter in the website’s address.
For example, if a website had a page called “redirect.php” that allowed a user to specify a URL to redirect to by passing a “url” parameter in the URL (e.g. www.example.com/redirect.php?url=https://www.attacker.com), an attacker could craft a link that looks legitimate but actually directs the user to a harmful website.
This can be especially dangerous if the attacker disguises the malicious link as a legitimate internal page on the same website (e.g. www.example.com/redirect.php?url=www.example.com/login). The user would be less likely to suspect anything is wrong and would likely enter their login credentials, which the attacker could then steal.
To prevent this vulnerability, websites and applications should validate the URLs being passed in redirects and only allow redirects to trusted, internal pages or pre-approved external websites.