| name | sc-open-redirect |
| description | Open redirect detection — unvalidated redirect URLs, protocol-relative bypasses, and URI scheme abuse |
| license | MIT |
| metadata | {"author":"ersinkoc","category":"security","version":"1.0.0"} |
SC: Open Redirect
Purpose
Detects open redirect vulnerabilities where user-controlled input determines the destination of HTTP redirects, enabling phishing attacks, OAuth token theft, and SSRF chaining. Covers URL parameter redirects, protocol-relative URL bypasses, backslash tricks, and JavaScript/data URI schemes.
Activation
Called by sc-orchestrator during Phase 2 when redirect functionality is detected.
Phase 1: Discovery
Keyword Patterns to Search
"redirect(", "res.redirect(", "response.sendRedirect(",
"http.Redirect(", "redirect_to(", "RedirectToAction(",
"Location:", "window.location", "document.location",
"return_url", "redirect_url", "next=", "callback=", "url=", "goto="
Vulnerability Pattern
app.get('/redirect', (req, res) => {
res.redirect(req.query.url);
});
const ALLOWED_HOSTS = ['example.com', 'app.example.com'];
app.get('/redirect', (req, res) => {
const url = new URL(req.query.url, 'https://example.com');
if (!ALLOWED_HOSTS.includes(url.hostname)) {
return res.status(400).send('Invalid redirect');
}
res.redirect(url.toString());
});
Bypass Techniques to Check
- Protocol-relative:
//evil.com
- Backslash:
\/evil.com or \evil.com
- URL encoding:
%2f%2fevil.com
- Data URI:
data:text/html,<script>...
- JavaScript URI:
javascript:alert(1)
@ in URL: https://example.com@evil.com
Severity Classification
- Critical: Open redirect in OAuth callback enabling token theft
- High: Open redirect on login/auth pages enabling credential phishing
- Medium: Open redirect on general pages, or redirect with URL visible to user
- Low: Open redirect requiring authentication, or in non-sensitive flows
Output Format
Finding: REDIR-{NNN}
- Title: Open Redirect in {endpoint}
- Severity: Critical | High | Medium | Low
- Confidence: 0-100
- File: file/path:line
- Vulnerability Type: CWE-601 (Open Redirect)
- Description: Redirect destination from {parameter} is not validated against an allowlist.
- Impact: Phishing, OAuth token theft, reputation damage, SSRF chaining.
- Remediation: Validate redirect URL against domain allowlist. Use relative paths only.
- References: https://cwe.mitre.org/data/definitions/601.html
Common False Positives
- Relative redirects —
/dashboard or ./profile cannot redirect to external domains
- Hardcoded redirect URLs — redirect to constant URLs
- Framework-safe redirects — some frameworks validate redirect URLs by default