Open redirect vulnerabilities occur when a web application accepts user-controlled input that specifies a link to an external site and uses that link in a redirect. This can be used for phishing attacks or to bypass security controls.
- URL parameters (redirect, url, return, next)
- Login/logout redirect parameters
- OAuth callback URLs
- Error page redirects
Submit external URLs in redirect parameters to test if the application redirects to arbitrary external sites.
See open-redirect-payloads.txt for a comprehensive list of open redirect payloads.