Open Redirect
A vulnerability in a legitimate website that allows an attacker to craft a link pointing to that site which then silently redirects the visitor to a malicious destination.
Also known as: unvalidated redirect, redirect vulnerability, open forward
Last reviewed: 1 June 2026
An open redirect occurs when a web application accepts a user-supplied URL parameter and forwards the visitor to it without validation. For example, a login page at 'trustedbank.com/login?next=https://evil.com' might redirect the user to 'evil.com' after clicking the link — but the link itself starts with 'trustedbank.com', so it appears safe.
Attackers exploit open redirects to lend legitimacy to phishing campaigns: the link in the email genuinely begins with a trusted domain, which may fool both human recipients and automated security scanners. The victim trusts the link because the URL looks correct, then finds themselves on a convincing fake login page.
Open redirects are classified as a web application security flaw. Responsible disclosure and patching by the legitimate site owner is the primary fix. Users can mitigate risk by checking the full URL including any parameters, using a password manager that validates the domain precisely, and being cautious about clicking links that contain long parameter strings pointing elsewhere.
Examples
- A phishing email links to 'bigbank.com/redirect?url=https://bigbank-secure.evil.com', appearing legitimate while sending the victim to a fraudulent site.