MEDIUMCWE-601Input Validation
Open Redirect Vulnerability
Description
Your app accepts a redirect URL parameter and forwards users to it without validation, enabling phishing attacks.
How Vezraa Detects It
We probe your app for common redirect parameters (?redirect=, ?next=, ?url=) and test if they redirect to external domains.
Real-World Impact
Attackers use your trusted domain to redirect users to phishing sites, making malicious URLs appear legitimate.
Fix Example
// BAD — open redirect
res.redirect(req.query.redirect);
// GOOD — validate
const allowed = ['/dashboard', '/settings'];
if (!allowed.includes(req.query.redirect)) {
res.redirect('/dashboard');
}Affected Stacks
Next.jsExpressAll backends