Description

Detects open redirect vulnerabilities in Express.js applications where user-controlled input (from HTTP requests) is used directly in redirect functions without proper validation. This allows attackers to redirect users to malicious websites by manipulating the redirect URL parameter.

Detection Strategy

• Check if code calls Express redirect functions (res.redirect, res.location, etc.)

• Verify if the redirect URL parameter comes from HTTP request inputs (req.query, req.params, etc.)

• Report vulnerability if unvalidated request input is used directly in redirect function

• Example vulnerable code: res.redirect(req.query.next)

Vulnerable code example

import express from 'express';
const app = express();

app.get('/redirect', (req, res) => {
    const target = req.query.url;
    res.redirect(target); // Vulnerable: Unvalidated redirect allows attackers to specify malicious URLs
});
...

✅ Secure code example

import express from 'express';
const app = express();

app.get('/redirect', (req, res) => {
    const target = req.query.url;
    // Define allowlist of permitted redirect destinations
    const allowedUrls = ['/home', '/profile', '/dashboard', '/login'];
    ...