Open Redirects and why you should avoid it if possible

Open Redirects and why you should avoid it if possible


3 min read

I'll start with, What is an open redirect?πŸ€” and why should you even careπŸ€·β€β™€οΈ

Open redirects can cause harm, damage your system, or even expose your private information. So what is it exactly πŸ˜•? An open redirect is a way of redirecting a user from one site to another.

Have you ever seen something like this:

That's an example of a URL that can redirect a user to another website.

It can be good πŸ˜‡ meaning it could be another website the owners of the initial site want you to go to complete an operation/process or a new version of the initial website. Or bad πŸ‘Ώ, redirecting to a harmful site. The good thing is you can see this coming if you're careful.

Okay, so open redirects can be exploited in the following ways:

  • Phishing, no, not fishing 🐟 πŸ˜…
  • Sending malware πŸ™€
  • or even XSS

Let's talk about these for a minute πŸ•°πŸ—£

I must let you know that this is not a comprehensive guide to Open Redirects. This article will enlighten you on how Open Redirects is used to exploit and possibly how to prevent it.


Phishing is a general term for deceptive attempts to coerce private information from users that will be used for identity theft.

On clicking a link with this vulnerability, you might receive an email that can trick you into giving personal information like credit card info, passwords, e.t.c. It might have a sense of urgency or something to it too.

Sending malware πŸ™€

The URL can also redirect you to downloading malware. Here's an example.

This link clearly states that it is malware, but it won't always be the case. We'll get to preventive measures in a bit. By the way, be careful not to click links like that if you're not sure what it is. Besides, some browsers show you the address/URL of the link you're about to click.


Well, I'll leave this to the backend engineers here to do more research 😁.

So how do we even prevent this in the first place 😩

  • One way is for backend developers to avoid 🚫 using open redirects.

  • Backend developers should also check that address obtained from the URL endpoint or URL query parameters is verified (checking against a list of allowed redirects or using regex).

  • URLs with terms like redirect, redir, url, exit, external-link, q, page, goto e.t.c should be avoided. It could be anything, but you need to be careful.

Okay πŸ€“

I think I have been able to achieve what I wanted to do with this particular article. It's not necessarily to teach you about open redirects but to enlighten you about its harm. I think I've done a bit of both. Now, it's your turn to do more research.

Thanks for reading, peace ❀️✌️