Open Redirect in SLACK

Slack software is cloud-based collaboration software. Originally founded in 2009 as a chat tool for a now-defunct gaming technology, Slack has gained currency among enterprises and is broadening into a collaboration platform with capabilities beyond just messaging.

I discovered an Open Redirect Vulnerability on Another low risk bug that i found xD

Step to Reproduce

  1. Go to
  2. This will redirect you automatically.


GET /link?url= HTTP/1.1
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.96 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,ht;q=0.8,id;q=0.7,so;q=0.6,es;q=0.5


HTTP/1.1 302 Found
Date: Fri, 15 Feb 2019 17:36:15 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html
X-Via: haproxy-www-ok5p

Unfortunately I got an error while trying to inject XSS.

Suggested Fix


The attacker can redirect the victim to the malicious site using legit domain name, which can be the copy of the real site, asking for the user credentials.

But because of special conditions (security policy) from SLACK, this report is considered invalid (Not Applicable).