An open redirect vulnerability allows an attacker to manipulate a credible website to redirect users to a malicious site of their choosing.
This is a medium-severity issue because it can be used to carry out phishing attacks or distribute malware.
The reporter discovered the vulnerability while investigating Topcoder’s authentication portal and found that they had not adequately validated user-supplied input for redirect URLs.
Nizar proposes that one solution would be to restrict redirects to trusted domains and prefer relative URLs over absolute URLs as a best practice.
This would alleviate the risk of an attacker leveraging the platform to redirect to an external URL of their choice, which could then be further manipulated to carry out a cross-site scripting (XSS) attack. Users could then be redirected to a malicious URL, where JavaScript could be used to steal session data or hijack the user’s session.