4osp3l

An open redirect is when a website takes a user-controlled URL and redirects to it without properly checking if it actually belongs to the application, which means an attacker can abuse it to send users to a malicious site. While testing redacted.com, I focused on the authentication flow and noticed the return_to parameter in the login endpoint /auth/v3/signin , which controls where users are redirected after a successful login, so I started by confirming how it behaves in a normal scenario. I opened a fresh session, visited the login URL with a valid internal return_to value, logged in, and confirmed that the application redirects correctly to its own page. I then tried a straightforward test by replacing the return_to value with an external domain like   https://attacker.com/hc/en-gb but this was blocked and the application redirected back to its default page, which means there is some validation in place. At this point I started digging into how the validation works, and I found...