Open in app

Sign in

Write

Sign in

Open Redirect Vulnerabilities: Understanding and mitigations in JavaScript

Ajay Monga
3 min readMar 2, 2024

--

An Open Redirect Vulnerability occurs when a web application accepts a user-controlled input that directs the user to a different URL. This input typically comes from a parameter within the URL itself, or from a form submission field. Attackers can exploit this vulnerability by crafting malicious URLs that redirect users to phishing sites, malware downloads, or other malicious destinations.

For example, if your domain is example.com, the attacker may create the following URL:

https://example.com/redirect.php?url=http://malicious.com

Vulnerable Code:

// Vulnerable JavaScript code with Open Redirect Vulnerability
function redirectToPage() {
    // Get the destination URL from the query parameter
    var redirectTo = window.location.search.substring(1).split('=')[1];
     
    // Redirect the user to the destination URL
    window.location.href = redirectTo;
}
// Example usage:
// If the URL is "http://example.com/?redirect=http://malicious-site.com"
// The redirectToPage function will redirect the user to "http://malicious-site.com"

Fixed Code:

// Remediated JavaScript code with Open Redirect Vulnerability fixed
function redirectToPage() {
    // Get the destination URL from the query parameter
    var redirectTo = getParameterValue('redirect');
    // Check if the redirect URL is valid
    if (isValidUrl(redirectTo)) {
        // Redirect the user to the destination URL
        window.location.href = redirectTo;
    } else {
        // Redirect to a default safe URL if the redirect URL is invalid
        window.location.href = 'http://example.com/default-page';
    }
}
// Function to extract and decode query parameter value
function getParameterValue(parameterName) {
    var query = window.location.search.substring(1);
    var parameters = query.split('&');
    for (var i = 0; i < parameters.length; i++) {
        var pair = parameters[i].split('=');
        if (pair[0] === parameterName) {
            return decodeURIComponent(pair[1]);
        }
    }
    return null;
}
var allowedRedirects = ["https://example.com", "https://trusteddomain.com"];
 
function isValidInput(url) {
    if (allowedRedirects.includes(url)) {
        return true;
    } else {
        return false;
    }
}

In the remediated code:

  1. The `redirectToPage` function now uses the `getParameterValue` function to extract the value of the `redirect` parameter from the URL query string and decode it.
  2. The `isValidUrl` function checks whether the extracted redirect URL is in a valid format. It uses a regular expression pattern to validate the URL’s structure, ensuring it begins with `http://` or `https://` and adheres to standard URL conventions.
  3. Before redirecting the user, the code checks if the extracted URL is valid. If it is valid, the user is redirected to the specified URL. Otherwise, the user is redirected to a default safe URL, such as a homepage or landing page.

By implementing these remediation steps, the code effectively mitigates the open redirect vulnerability by validating and sanitizing the user-provided redirect URL before performing the redirection, thereby preventing potential exploitation by malicious actors.

Remediation Strategies:

Implement Whitelists: Employ whitelists for redirect destinations to restrict redirection to only trusted and pre-approved URLs, domains, or paths.

var allowedRedirects = ["https://example.com", "https://trusteddomain.com"];

function redirectUser(url) {
    if (allowedRedirects.includes(url)) {
        window.location.href = url;
    } else {
        console.error("Unauthorized redirect attempt");
    }
}
// Example usage:
var userInput = "https://example.com";
redirectUser(userInput);

Validate and Sanitize Input: When user input cannot be avoided, you should make sure that all supplied values are valid, are appropriate for the application, and are authorized for each user.

Force redirects to first go to a page that notify users they are redirected out of the website. The message should clearly display the destination and ask users to click on a link to confirm that they want to move to the new destination.

Encode Redirect URLs: Encode and validate redirect URLs to ensure that they conform to expected formats and are not manipulated by attackers to redirect users to malicious destinations.

function encodeRedirectUrl(url){
    return encodeURIComponent(url);
}

References: https://brightsec.com/blog/open-redirect-vulnerabilities/
https://www.acunetix.com/blog/web-security-zone/what-are-open-redirects/
https://www.stackhawk.com/blog/what-is-open-redirect/
https://portswigger.net/kb/issues/00500100_open-redirection-reflected

Open Redirect
Sast
Cyber Security Training
Vulnerability
Devsecops

--

--

Ajay Monga

Written by Ajay Monga

20 Followers

Security @ ADP | AI Security | SAST | Shift Left | My writing style is clear and concise, making complex security concepts understandable to a broad audience

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams