An open redirect is where your application redirects the user to a URL supplied from an untrusted source, without checking the validity of that URL.
Open redirects are often used in phishing attacks - attacks where malicious links are sent out in emails, in an attempt to trick users into visiting a harmful site.
By sending out a link that points to your website but immediately redirects to a malicious site, attackers can circumvent anti-phishing measures put in in place by email providers.
This kind of attack can damage the trust your users have in your site since you appear to be the malicious actor. Let's see how the attack works.
Mal is a hacker who has noticed that your site performs a redirect after login. Normally this is a useful feature; but your site doesn't check the URL of the redirect location.
Mal crafts a URL featuring a redirect to his malicious website.
To make it less obvious what he is doing, he encodes the redirect parameter, and adds some superfluous parameters to the query string.
Mal sends this URL to Vic in an email. The link is to your website, which is not black-listed as a malicious site by Vic's email provider, so no alarms go off when the email is scanned.
Subject: This Baby Iguana Got To Eat Ice Cream For His Birthday
And he has a perfect tiny party hat.
I used to have a pet iguana. He was called Randall.
Randall was lactose-intolerant though.
We had to feed him exclusively almond milk.
This is not what Randall would have wanted.
Vic is one of your users. Mal wants to trick Vic into going to his malicious website.
Vic clicks on the link. Since he isn't currently logged in, your website presents him with the login page.
Immediately after Vic logs in, the redirect parameter is processed. The site doesn't do any check on the URL described in the 'next' parameter.
Vic is redirected to the harmful site. He has been phished!