An open redirect is an OWASP-recognized vulnerability in a web application that allows unrestricted, arbitrary redirection to any URL on the Internet.  Open redirects are often abused by malicious spammers who are using your domain as a temporary “landing page” to trick email users, searchers, and search engines into following links which appear to be pointing to your legitimate site, but actually redirect to their malicious site.

 

Exploited open redirects can be used for any number of malicious goals, including, but not limited to, malware distribution, phishing attacks, spam filter avoidance, search engine poisoning, referral fraud, etc.

 

If your website has been identified as operating an exploitable open redirect, you must take action to correct the situation.  The quickest and most effective ways to mitigate the vulnerability include adding an intermediate/interstitial disclaimer page, as described in the mitigation section of this page, and/or to check and enforce the HTTP Referer field to ensure the redirect was generated on your site, and not from an arbitrary souce, as described on this page.

 

For more information on Open Redirect vulnerabilities and how to mitigate them, please read the following articles:

 

https://cwe.mitre.org/data/definitions/601.html

https://googlewebmastercentral.blogspot.com/2009/01/open-redirect-urls-is-your-site-being.html

https://www.owasp.org/index.php/Open_redirect