Open Redirect in SLACK

Feb 16, 2019 · 1 min read

Slack software is cloud-based collaboration software. Originally founded in 2009 as a chat tool for a now-defunct gaming technology, Slack has gained currency among enterprises and is broadening into a collaboration platform with capabilities beyond just messaging.

I discovered an Open Redirect Vulnerability on Another low risk bug that i found xD

Step to Reproduce

  1. Go to
  2. This will redirect you automatically.


GET /link?url= HTTP/1.1
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.96 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,ht;q=0.8,id;q=0.7,so;q=0.6,es;q=0.5


HTTP/1.1 302 Found
Date: Fri, 15 Feb 2019 17:36:15 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html
X-Via: haproxy-www-ok5p

Unfortunately I got an error while trying to inject XSS.

Suggested Fix


The attacker can redirect the victim to the malicious site using legit domain name, which can be the copy of the real site, asking for the user credentials.

But because of special conditions (security policy) from SLACK, this report is considered invalid (Not Applicable).

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store