Skill

open-redirect

Detects open redirect vulnerabilities (CWE-601) when redirecting to user-supplied URLs from params, forms, login flows, or OAuth callbacks. Suggests host allowlist validation fixes.

Python

Java

Javascript

security

npx claudepluginhub thejefflarson/soundcheck --plugin soundcheck

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Protects against open redirect vulnerabilities where an attacker crafts a link that

SKILL.md

Similar Skills

testing-for-open-redirect-vulnerabilities

5.9k

Tests open redirect vulnerabilities in web apps by identifying redirect parameters, applying bypass payloads, and chaining for phishing or token theft in login/OAuth/SSO flows.

3 files

cybersecurity-skills

testing-for-open-redirect-vulnerabilities

Identifies and tests open redirect vulnerabilities in web apps by analyzing URL parameters, bypass techniques like encoding and subdomain tricks, and phishing exploitation chains. Useful for login, OAuth, and SSO audits.

asi

testing-for-open-redirect-vulnerabilities

Tests web apps for open redirect vulnerabilities via URL parameter analysis, bypass payloads like encoding/@ tricks, and chains for phishing/OAuth token theft.

3 files

cybersecurity-skills-zh

Stats

Stars13

Forks0

Last CommitApr 18, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Open Redirect Security Check (CWE-601)

What this checks

Protects against open redirect vulnerabilities where an attacker crafts a link that redirects users from a trusted domain to a malicious site. Used in phishing campaigns to make malicious links appear legitimate, and in OAuth flows to steal authorization codes.

Vulnerable patterns

redirect(request.args["next"]) — redirects to any URL the caller supplies
http.Redirect(w, r, r.URL.Query().Get("return"), 302) — no validation
response.sendRedirect(req.getParameter("url")) — Java unvalidated redirect
window.location = params.get("redirect") — client-side open redirect

Fix immediately

Flag the vulnerable code and explain the risk. Then suggest a fix that establishes these properties:

Every redirect target is either a relative path or a member of an exact host allowlist. Parse the URL, inspect the host, and reject anything outside the allowlist. Prefix matching (startswith) is not sufficient — allowed.com.evil.com passes a prefix check.
Scheme-relative URLs are blocked explicitly. A value starting with // parses as a protocol-relative URL and redirects to whatever host follows. Checking for http:// / https:// alone misses this.
OAuth and login "return-to" parameters go through the same validator as any other redirect target. These are the highest-value targets because they run in an authenticated context; a redirect here hands the attacker the post-login session or an authorization code.
On validation failure, redirect to a safe default (/, home, dashboard) rather than echoing an error containing the malicious URL. Echoing it back gives attackers a reflected-XSS surface.

Anchor — shape, not implementation:

def safe_redirect(target):
    if target.startswith("//"): return "/"       # block scheme-relative
    u = parse(target)
    if u.host and u.host not in ALLOWED_HOSTS: return "/"
    return target

Verification

Every redirect target derived from user input is validated as either a relative path or a member of an explicit host allowlist
Scheme-relative URLs (//evil.com) are blocked — not just http:// and https://
OAuth/login "return_to" parameters are validated before redirect

References

CWE-601 (URL Redirection to Untrusted Site)