A post-login redirect endpoint that passes the next parameter directly to the response. Find the inputs that redirect to an external domain and the bypass that defeats simple URL checks.
An open redirect occurs when an application uses a user-controlled URL parameter to redirect after an action — such as login — without validating that the destination is safe. Attackers use this to redirect victims to phishing sites while the link appears to originate from a trusted domain. Common bypass vectors include protocol-relative URLs (// evil.com), javascript: URIs, and URL encoding tricks.
| True Positive | Internal path /qa-sandbox/ redirects safely — no external domain involved |
| Bug Found | https://evil.com is accepted — no scheme or host validation performed |
| Bug Found | //evil.com bypasses naive http(s):// prefix checks |
| Bug Found | javascript:alert(1) turns the redirect into a reflected XSS vector |
Enter a value for the next parameter, or use a quick-test button. The sandbox simulates what the endpoint would do — no actual redirect occurs.
/qa-sandbox/ — internal path, redirect works correctly, no external domain (true positive)https://evil.com — absolute URL with an external host, no scheme or domain check is performed (bug found)//evil.com — protocol-relative URL, bypasses a naïve check that only rejects http:// or https:// prefixes (bug found)javascript:alert(document.domain) — the javascript: scheme turns the redirect into script execution in the user's browser (bug found)%2F%2Fevil.com or https%3A%2F%2Fevil.com — validators that decode before checking are still vulnerable