Open Redirect#

DOM-based open-redirection vulnerabilities arise when a script writes attacker-controllable data into a sink that can trigger cross-domain navigation

Example 1#

Consider the following code:

goto = location.hash.slice(1)
if (goto.startsWith('https:')) {
  location = goto;
}

This code takes the string after the hash fragment #, and if it starts with https, it will pass the URL into location, which will redirect the browser to that URL.

So, this code uses a sink that attacker can control location.hash, and a sink that do redirection location. This vulnerability is open redirect, and could be exploited for a phishing attack

Example 2#

Consider another example. It is vulnerable due to the unsafe way it handles the location.hash property:

let url = /https?:\/\/.+/.exec(location.hash);
if (url) {
  location = url[0];
}

An attacker may be able to use this vulnerability to construct a URL like https://vulnerable-website.com/#https://evil.com, if visited by another user, will cause a redirection to evil.com.

Backward DOM Clobbering Web Messages Vulnerabilities Forward