# URL Redirection to Untrusted Site ('Open Redirect') (CWE-601)

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect.

- Prevalence: Medium 3 languages covered
- Impact: Medium Review recommended
- Prevention: Documented 4 fix examples

**OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1

## Description

An open redirect vulnerability occurs when an application takes user input and uses it to redirect the user to a different URL. Attackers can exploit this to redirect users to malicious sites.

## Prevention

Prevention strategies for Open Redirect based on 4 Shoulder detection rules.

### Go

Validate redirect URLs against an allowlist of trusted domains

### Node.js

Validate redirect targets against an allowlist of permitted paths

Validate redirect URLs against an allowlist or enforce relative paths

### Python

Validate redirect URLs against a domain allowlist or use relative paths

## Warning Signs

- [MEDIUM] User input flows to redirect without validation
- [MEDIUM] user-controlled input flowing into redirect targets in Next
- [MEDIUM] user input flowing into redirect functions without URL validation
- [MEDIUM] unvalidated redirects using user input

## Consequences

- Gain Privileges
- Bypass Protection Mechanism

## Mitigations

- Validate URLs against an allowlist of trusted domains
- Use a mapping system rather than direct URL parameters
- Display warning pages before redirecting to external sites

## Detection

- Total rules: 4
- Languages: go, javascript, typescript, python

## Rules by Language

### Javascript (2 rules)

- **Next.js Open Redirect** [MEDIUM]: Detects user-controlled input flowing into redirect targets in Next.js middleware.
  - Remediation: Validate redirect targets against an allowlist of permitted paths.

```typescript
const ALLOWED_PATHS = ['/login', '/dashboard', '/profile'];
const redirect = request.nextUrl.searchParams.get('redirect');

if (redirect && ALLOWED_PATHS.includes(redirect)) {
  return NextResponse.redirect(new URL(redirect, request.url));
}
return NextResponse.redirect(new URL('/', request.url));
```

Learn more: https://shoulder.dev/learn/javascript/cwe-601/nextjs-open-redirect
- **Open Redirect via Untrusted URLs** [MEDIUM]: Detects user input flowing into redirect functions without URL validation.
  - Remediation: Validate redirect URLs against an allowlist or ensure they are relative paths.

```javascript
const ALLOWED = ['/home', '/dashboard', '/profile'];
if (ALLOWED.includes(url) || url.startsWith('/')) {
  res.redirect(url);
}
```

Learn more: https://shoulder.dev/learn/javascript/cwe-601/open-redirect

### Typescript (2 rules)

- **Next.js Open Redirect** [MEDIUM]: Detects user-controlled input flowing into redirect targets in Next.js middleware.
  - Remediation: Validate redirect targets against an allowlist of permitted paths.

```typescript
const ALLOWED_PATHS = ['/login', '/dashboard', '/profile'];
const redirect = request.nextUrl.searchParams.get('redirect');

if (redirect && ALLOWED_PATHS.includes(redirect)) {
  return NextResponse.redirect(new URL(redirect, request.url));
}
return NextResponse.redirect(new URL('/', request.url));
```

Learn more: https://shoulder.dev/learn/javascript/cwe-601/nextjs-open-redirect
- **Open Redirect via Untrusted URLs** [MEDIUM]: Detects user input flowing into redirect functions without URL validation.
  - Remediation: Validate redirect URLs against an allowlist or ensure they are relative paths.

```javascript
const ALLOWED = ['/home', '/dashboard', '/profile'];
if (ALLOWED.includes(url) || url.startsWith('/')) {
  res.redirect(url);
}
```

Learn more: https://shoulder.dev/learn/javascript/cwe-601/open-redirect

### Go (1 rules)

- **Open Redirect** [MEDIUM]: User-controlled input used in http.Redirect without URL validation.
  - Remediation: Validate redirect URLs against a whitelist of allowed domains.

```go
allowed := map[string]bool{"example.com": true}
u, err := url.Parse(redirectURL)
if err != nil || !allowed[u.Host] {
    http.Error(w, "Invalid redirect", 400)
    return
}
http.Redirect(w, r, redirectURL, http.StatusFound)
```

Learn more: https://shoulder.dev/learn/go/cwe-601/open-redirect

### Python (1 rules)

- **Open Redirect** [MEDIUM]: Detects unvalidated redirects using user input.
  - Remediation: Validate redirect URLs against an allowlist of permitted domains.

```python
from urllib.parse import urlparse
ALLOWED_DOMAINS = {"myapp.com"}
if urlparse(url).netloc not in ALLOWED_DOMAINS:
    url = "/"
```

Learn more: https://shoulder.dev/learn/python/cwe-601/open-redirect