How To Redirect Users Safely To Other Websites

Nova Security

Nov 25, 2023 — 2 min read

Performing Safe Redirects

You probably ever had to redirect your users from your website to another third-party's site that you do not control.

And because of that, you've added a function to your existing app route or endpoint that reads a (query) parameter, and redirects the user to the URL that was provided, and perhaps without any further validation.

This, by definition, is an Open URL Redirect vulnerability and can cause several consequences to your user's safety (from phishing to potential account takeovers).

In this post, we'll go over several ways on how you can easily avoid these and redirect your users safely.

Mitigation

Always ask yourself, is there a need to allow the user to get redirected to any kind of website from yours?

If this is not the case, a whitelist-based approach is the most effective solution. In practice, this means defining all whitelisted URLs and afterwards redirecting the user to end URL if the condition is allowed.

If you do need to redirect users to another website that you do not control (think about a blogging platform or a public forum), the safest way to do so is prompting the user for confirmation before redirecting.

This can be a separate page or view that the user gets to see before the redirect takes place.

This makes sure that:

The user is well-aware of a redirect.
The user can view the full URL or link that he/she is about to visit.

Example:

Once the user clicks on "Yes", he/she gets redirected to the URL he/she wanted to visit.

ℹ️

Make sure that in case this is a client-side (/DOM-based) redirect that you disable the use of the javascript protocol to prevent client-side code execution (XSS), effectively.

This is beyond the scope of this post but you can read more about it on our blog.

Scan For Open Redirect Vulnerabilities on Your Website Today

- Server-Side, DOM-based & FORM-based Open Redirects
- Detailed Reproduction Steps + Mitigation
- No False Positives

SCAN NOW

Exploring Hidden Attack Surfaces: Performing Better Content Discovery

Exploring Hidden Attack Surfaces is a new blog post series curated by Nova Security for the community to help you on your way to discover any attack surfaces that most current tools are not capable of. Part 2 is dedicated to performing better content discovery so that you can have

What Is Targeted Bruteforcing?

Targeted bruteforcing in content discovery is a lesser-known and more sophisticated technique of bruteforcing. It is also a more effective approach and it likely also yields more accurate results. In content discovery, targeted bruteforcing consists of 2 separate steps. The first step is to identify the technologies used by the

What is DNS (Subdomain) Bruteforcing?

If you are an experience penetration tester, bug bounty hunter or have experience in web security, you probably have heard of DNS or Subdomain bruteforcing before. It is a technique often used in the reconnaissance phase of your testing to further help map out your entire attack surface. What is

What Is An Automated Web Security Audit?

An automated web security audit is a process of using scanners to scan (such as Nova Security Scanner) and test web applications for security vulnerabilities and misconfigurations. The goal of an automated web security audit is to identify and mitigate any potential security risks before they can be exploited by