EncryptCodecencryptcodec
Simulations/Open Redirect

Open Redirect

Beginner

Open redirects let attackers craft links that appear to come from a trusted domain but redirect victims to malicious sites. Exploit the vulnerability, bypass a naive fix, then implement proper validation.

Progress:
1
Basic Open Redirect
2
Bypass Domain Check
3
Apply Strict Validation
Security Level:
app.example.com/login?redirect=...

Login

Redirect Flow
1
Attacker sends link
app.example.com/login?redirect=...
2
Victim logs in
Credentials sent to legitimate server
3
Server redirects (no check)
302 Location: ...
4
Victim lands safely
...

Challenges

1
Basic Open Redirect
Craft a redirect URL that sends the user to an attacker-controlled site after login.
hints
2
Bypass Domain Check
The developer added a basic check that the URL contains 'example.com'. Bypass it.
hints
3
Apply Strict Validation
Switch to strict domain validation and verify that the bypass no longer works.
hints
How to fix open redirects
Whitelist allowed domains and use proper URL parsing

Frequently Asked Questions