If your site permits open redirects, you may be unknowingly helping attackers
take advantage of your user base.
Redirects are a useful function to have when building a website. If a user
attempts to access a resource before they are logged in, it is conventional to
redirect them to the login page, put the original URL in a query parameter, and
after they have logged in, automatically redirect them to their original
destination. This type of functionality shows you are putting thought into the
user experience, and is to be encouraged. However, you need to be sure anywhere
you do redirects, they are done safely – otherwise you are putting your users in
harm’s way by enabling phishing attacks.
Modern web-mail services are very good at spotting spam and other types of
malicious messages. One detection method they use is to parse the out-bound
links in HTML emails. These links are compared to a black-list of banned
domains; if the domain is deemed to be malicious, the email is redirected to the junk folder.
This is why spammers and phishers find open redirects so enticing.
If they can “bounce” a user off your website (an apparently valid domain),
their messages are less likely to be marked as malicious. If the user clicks on
the link, they will see your website in the link, but they will end up at whatever
site the attacker wants to direct them to. A confused user might download
malware or worse, because of the trust they put in your site!