# URL Redirection to Untrusted Site ('Open Redirect') (CWE-601) A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. **Stack:** JavaScript - Prevalence: Medium 3 languages covered - Impact: Medium Review recommended - Prevention: Documented 4 fix examples **OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1 ## Description An open redirect vulnerability occurs when an application takes user input and uses it to redirect the user to a different URL. Attackers can exploit this to redirect users to malicious sites. ## Prevention Prevention strategies for Open Redirect based on 2 Shoulder detection rules. ### JavaScript Validate redirect targets against an allowlist of permitted paths Validate redirect URLs against an allowlist or enforce relative paths ## Warning Signs - [MEDIUM] user-controlled input flowing into redirect targets in Next - [MEDIUM] user input flowing into redirect functions without URL validation ## Consequences - Gain Privileges - Bypass Protection Mechanism ## Mitigations - Validate URLs against an allowlist of trusted domains - Use a mapping system rather than direct URL parameters - Display warning pages before redirecting to external sites ## Detection - Total rules: 4 - Languages: go, javascript, typescript, python ## Rules by Language ### Javascript (2 rules) - **Next.js Open Redirect** [MEDIUM]: Detects user-controlled input flowing into redirect targets in Next.js middleware. - Remediation: Validate redirect targets against an allowlist of permitted paths. ```typescript const ALLOWED_PATHS = ['/login', '/dashboard', '/profile']; const redirect = request.nextUrl.searchParams.get('redirect'); if (redirect && ALLOWED_PATHS.includes(redirect)) { return NextResponse.redirect(new URL(redirect, request.url)); } return NextResponse.redirect(new URL('/', request.url)); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-601/nextjs-open-redirect - **Open Redirect via Untrusted URLs** [MEDIUM]: Detects user input flowing into redirect functions without URL validation. - Remediation: Validate redirect URLs against an allowlist or ensure they are relative paths. ```javascript const ALLOWED = ['/home', '/dashboard', '/profile']; if (ALLOWED.includes(url) || url.startsWith('/')) { res.redirect(url); } ``` Learn more: https://shoulder.dev/learn/javascript/cwe-601/open-redirect ### Typescript (2 rules) - **Next.js Open Redirect** [MEDIUM]: Detects user-controlled input flowing into redirect targets in Next.js middleware. - Remediation: Validate redirect targets against an allowlist of permitted paths. ```typescript const ALLOWED_PATHS = ['/login', '/dashboard', '/profile']; const redirect = request.nextUrl.searchParams.get('redirect'); if (redirect && ALLOWED_PATHS.includes(redirect)) { return NextResponse.redirect(new URL(redirect, request.url)); } return NextResponse.redirect(new URL('/', request.url)); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-601/nextjs-open-redirect - **Open Redirect via Untrusted URLs** [MEDIUM]: Detects user input flowing into redirect functions without URL validation. - Remediation: Validate redirect URLs against an allowlist or ensure they are relative paths. ```javascript const ALLOWED = ['/home', '/dashboard', '/profile']; if (ALLOWED.includes(url) || url.startsWith('/')) { res.redirect(url); } ``` Learn more: https://shoulder.dev/learn/javascript/cwe-601/open-redirect