Open redirect
URL that can be used to redirect to an arbitrary second URL.
An open redirect is a URL that redirects to a second URL which is read from the first URL's query
string and which can be modified to make the redirect go to an arbitrary website.
For example, the
server at example.com could be set so that any URL of the type
www.example.com/redirect?url=secondwebsite.com would redirect to
secondwebsite.com no matter what that site was - this would be an open redirect.
Open redirects are popular among webmasters for monitoring the links users are
clicking on: before the user is redirected, their 'click' is registered in a database. However, open
redirects have become popular among spammers too, who send emails containing open
redirects and thus circumventing spam filters that blacklist
certain URLs. Popular websites such as Google and LinkedIn are known to use or have used
open redirects.
Although an open redirect does not harm the site itself, webmasters should avoid using
them due to the fact that they help spammers, could cause increased and unwanted traffic to the site
and could eventually lead to their own site being blacklisted. Clicked links can be monitored for example
by only allowing redirects to certain URLs or by using numbers that correspond to entries in a database
with links instead of URLs.
Related news articles
Loophole in Google's AdSense solved, but new flaw quickly uncovered.
03 June 2008
see all related news stories
VB2009 will take place 23-25 September 2009 at the Crowne Plaza Geneva, Switzerland.
A call for papers will be issued in December.