What is Open Redirect? - apviso [APVISO](/)Product

Resources

Developers

Company

[Pricing](/#pricing)[Partners](/partners)[Enterprise](/enterprise)

[Login](/login)[Get started](/register)

[Login](/login)[Start pentest](/register)

[Home](/)[Glossary](/glossary)Open Redirect[Back to Glossary](/glossary)Open Redirect
=============

A vulnerability where a web application redirects users to an attacker-controlled URL, enabling phishing and credential theft.

vulnerabilityphishingweb security

An open redirect vulnerability occurs when a web application accepts user-controllable input that specifies a URL for redirection without proper validation. Attackers exploit this to redirect users from a trusted domain to a malicious site, making phishing attacks more convincing because the initial URL appears to be from the legitimate site.

Open redirects commonly appear in login flows (redirect after authentication), logout flows, link shorteners, and email tracking URLs. While often considered low severity on their own, open redirects become more impactful when used in OAuth flows (to steal authorization codes), combined with SSRF, or as part of a social engineering attack chain.

Mitigations include maintaining an allowlist of permitted redirect destinations, validating that redirect URLs belong to the same domain, and avoiding redirect parameters altogether by using server-side redirect mappings.

How APVISO tests for this: APVISO's pentester agent tests all redirect parameters for open redirect vulnerabilities, including bypass techniques like protocol-relative URLs, URL-encoded payloads, and domain confusion techniques. It identifies redirects in login/logout flows, OAuth callbacks, and link tracking endpoints.

Related Terms
-------------

[Cross-Site Scripting (XSS)](/glossary/cross-site-scripting)[Server-Side Request Forgery (SSRF)](/glossary/ssrf)

Test your applications for open redirect vulnerabilities
--------------------------------------------------------

APVISO's AI agents automatically test for this and many more vulnerability categories.

[Contact sales](/contact)

[APVISO](/)Autonomous AI-powered penetration testing for modern web applications.

Subscribe

[](https://github.com/apviso)[](https://x.com/Apviso_com)[](https://www.linkedin.com/company/apviso/)

[![Featured on Good AI Tools](https://goodaitools.com/assets/images/badge.png)](https://goodaitools.com/ai/apviso)

Product

- [Features](/#features)
- [Sentinel](/sentinel)
- [Pricing](/pricing)
- [Integrations](/integrations)
- [Benchmarks](/#compare)
- [Affiliate Program](/affiliate)
- [Partners](/partners)
- [Enterprise](/enterprise)

Resources

- [Blog](/blog)
- [Use Cases](/use-cases)
- [Glossary](/glossary)
- [Comparisons](/comparisons)
- [Alternatives](/alternatives)
- [Compliance](/compliance)
- [Vulnerabilities](/vulnerabilities)
- [Industries](/industries)
- [OWASP APTS](/trust/apts)

Developers

- [Knowledge Base](/docs)
- [API Reference](/docs/api)
- [MCP Server](/docs/mcp)

Company

- [About](/about)
- [Contact](/contact)
- [Status](https://status.apviso.com)
- [Privacy Policy](/legal/privacy)
- [Terms of Service](/legal/terms)

© 2026 APVISO. All rights reserved.
