/Code Review/Open Redirect in Login

Open Redirect in Login

Unvalidated redirect vulnerability allowing phishing attacks through malicious URLs.

MEDIUMEasy

Vulnerable Codejavascript

1app.get('/login', (req, res) => {
2    const { returnUrl } = req.query;
3    
4    if (req.session.user) {
5        // Redirect to returnUrl after login
6        return res.redirect(returnUrl || '/dashboard');
7    }
8    
9    res.render('login', { returnUrl });
10});
11
12app.post('/login', (req, res) => {
13    const { username, password, returnUrl } = req.body;
14    
15    if (validateCredentials(username, password)) {
16        req.session.user = username;
17        res.redirect(returnUrl || '/dashboard');
18    } else {
19        res.render('login', { error: 'Invalid credentials' });
20    }
21});

Understanding the Issue

The vulnerable code blindly redirects to user-controlled URLs, enabling phishing attacks. Attackers craft login links that redirect to fake sites after authentication. The secure version validates returnUrl to only allow relative paths within the application.

Phishing via Open Redirect

Redirect users to attacker site that looks like legitimate login

Malicious Input

https://legitimate.com/login?returnUrl=https://evil.com/steal-creds

Impact

User logs in successfully then gets redirected to evil.com

Technical Details

Vulnerability Type: Open Redirect
Severity: MEDIUM
Language: Javascript
CWE: CWE-601
OWASP: A01:2021 – Broken Access Control

Open Redirect in Login

Understanding the Issue

How Attackers Exploit This

Phishing via Open Redirect

Finding the Vulnerability(3 hints)

Technical Details

Open Redirect in Login

Understanding the Issue

How Attackers Exploit This

Phishing via Open Redirect

Finding the Vulnerability(3 hints)

Technical Details