What is an open redirect vulnerability?

An open redirect vulnerability occurs when an application accepts user-controlled input to redirect to an external URL without proper validation. Example: https://example.com/redirect?url=https://evil.com — the app redirects the user to the attacker's site. This is dangerous because: (1) Phishing: attackers use the trusted domain in the initial URL to bypass email filters, then redirect to a malicious site. (2) OAuth token theft: if redirect URIs aren't strictly validated in OAuth flows, attackers can redirect access tokens to their server. Prevention: (1) Avoid open redirects entirely — use indirect references (a whitelist mapping of allowed redirect targets). (2) If redirects must be dynamic, maintain a strict whitelist of allowed external URLs or domains. (3) Validate that the redirect destination is on an allowlist before redirecting. (4) Show the user the destination URL and require confirmation for external redirects. (5) Never use raw user input directly in redirect responses.