CWE-601: URL Redirection to Untrusted Site (Open Redirect)

Overview

This guidance helps you interpret and remediate findings from DAST (Dynamic Application Security Testing) tools. The scanner detected that the application accepted arbitrary URLs in redirect parameters and forwarded users to attacker-controlled domains. Evidence includes successful redirects (HTTP 302/301) to external sites via parameters like ?redirect=, ?url=, ?next=, or ?return_url=. The scanner submits payloads like ?redirect=https://evil.com and observes Location: headers pointing to the attacker domain.

Analyzing the Dynamic Scan Result

What the DAST Scanner Found

DAST findings for CWE-601 typically indicate that user-controlled input was reflected into redirect targets at runtime, such as:

• Redirect responses whose destination changes based on request input
• External URLs accepted as redirect destinations
• Redirect behavior inconsistent with a fixed or allowlisted set of targets

Evidence is based on observed redirect behavior, not on request payload syntax.

Mapping DAST Findings to Source Code

CWE-601 does not hinge on a single vulnerable parameter. The issue resides in how redirect destinations are constructed and validated.

When tracing this issue in code, look for:

• Redirect logic that consumes request input
• Post-login or post-logout navigation handling
• OAuth or SSO callback redirection logic
• Any flow where external destinations are permitted

Remediation

Core Principle: Never allow untrusted input to control navigation or redirect targets; all redirect destinations must be server-defined or selected from a strict allowlist.

→ For comprehensive remediation guidance, see Static CWE-601 Guidance

Language-Specific Guidance

The static guidance provides detailed remediation steps for many languages. If you need language-specific examples:

• Python - Flask, Django, FastAPI - urlparse validation and allowlisting
• Java - Servlets, Spring MVC, Jakarta EE - URI validation and redirect protection
• JavaScript/Node.js - Express, Koa - URL parser validation and same-origin checks
• C# - ASP.NET Core, MVC - Url.IsLocalUrl() and allowlist validation
• PHP - Laravel, Symfony - parse_url validation and header redirects

Verification and Follow-Up Testing

After applying the fix:

1. Verify Redirect Behavior

• Confirm redirect destinations are fixed or allowlisted
• Ensure external redirects are rejected unless explicitly intended

2. Test Edge Cases

• Authentication and logout flows
• OAuth or SSO callbacks
• Relative vs absolute redirect targets

Re-run DAST Scanner

Re-run the dynamic scanner to confirm untrusted redirect behavior is no longer observed.

Additional Resources

• CWE-601: URL Redirection to Untrusted Site (Open Redirect)
• OWASP Open Redirect
• OWASP Top 10 2025
• OWASP Top 10 2025 A01: Broken Access Control
• PortSwigger Open Redirection