Ehteshamul Haq has detailed how an open redirect vulnerability can be exploited by manipulating the Referer header.
Open redirects can be dangerous as they can make users think they are on a legitimate website when they are actually being redirected to a phishing site.
In the case he found through the Referer header, it enabled him to discover an open redirect vulnerability on a bug bounty programme because the web application didn’t properly check the URL.
Haq also advises that another good place to look for open redirects is in email notifications that include URL links, as these can also be manipulated.
These flaws can lead to phishing attacks, SEO poisoning, or warming attacks, and should be patched as soon as they are discovered.