N01 Insecure Redirects

What this means

SiteShadow flagged redirect logic where the destination URL can be influenced by user input (query params like ?next=..., returnUrl=..., redirect=...).

Why it matters

Open redirects can enable phishing, token leakage, or malicious navigation.

Phishing: your trusted domain becomes a "bounce" to malicious sites.
Token leakage: OAuth codes/tokens can leak via redirect URLs if flows are misconfigured.
User trust damage: users learn that links on your site can send them anywhere.

Safer examples

1) Use allowlisted relative paths (recommended)

const next = req.query.next || "/dashboard";
if (!next.startsWith("/")) throw new Error("Invalid redirect");
res.redirect(next);

2) If absolute URLs are needed, allowlist hosts

allowed = {"app.example.com"}
u = urlparse(next_url)
if u.hostname not in allowed:
    raise ValueError("Invalid redirect host")

3) Don't accept redirects from untrusted sources

Avoid reflecting arbitrary URLs back to clients.

How SiteShadow detects it (high level)

Flags redirect(...) calls using request-derived values.
Checks for missing allowlists/validation around common redirect parameters.

References

CWE-601: https://cwe.mitre.org/data/definitions/601.html

---

← Back to Vulnerability Library

Request access View coverage