What it is
A redirect parameter accepts arbitrary external URLs, used to make phishing links appear to come from your trusted domain.
How attackers abuse it
Your site redirects to a URL from the user, so an attacker sends a link that looks like your domain but lands the victim on a phishing or malware site.
Attacker playbook
- 1Find a redirect parameter (return, next, url).
- 2Set it to an external attacker site.
- 3Share the link; victims trust your domain and get redirected.
How VibeSec detects and confirms it
VibeSec tests for this with an active scan, which runs only on targets you confirm you own or are authorized to test. We detect and confirm it using VibeSec native, Wapiti and Nuclei. When a payload actually proves the issue, it is reported as a confirmed finding rather than a guess.
VibeSec nativeWapitiNuclei
If this is in your report: how to fix it
- Redirect only to an allow-list of known paths.
- Do not accept full URLs from users for redirects.
- If external redirects are needed, show an interstitial warning.
Check your site for this
Run a scan and see whether this affects you, in plain language with copy-paste fixes.
Scan your site for free// related capabilities