URL Redirect Bypass via Weak String Validation Leading to Attacker-Controlled Domain Redirection

An open redirect is when a website takes a user-controlled URL and redirects to it without properly checking if it actually belongs to the application, which means an attacker can abuse it to send users to a malicious site.

While testing redacted.com, I focused on the authentication flow and noticed the return_to parameter in the login endpoint /auth/v3/signin, which controls where users are redirected after a successful login, so I started by confirming how it behaves in a normal scenario.

I opened a fresh session, visited the login URL with a valid internal return_to value, logged in, and confirmed that the application redirects correctly to its own page.

I then tried a straightforward test by replacing the return_to value with an external domain like

  https://attacker.com/hc/en-gb




but this was blocked and the application redirected back to its default page, which means there is some validation in place.

At this point I started digging into how the validation works, and I found that instead of properly validating the hostname, the application only checks if the URL contains a specific string like domain.test.dev, which is a weak string-based check.

To test this, I crafted attacker-controlled domains that include that string, such as

https://domain.test.dev.attacker.org,

https://domain.test.devwebsite.com, 

https://domain.test.devanything.info




all of which are domains that can be publicly registered and fully controlled by an attacker.

When I used 

https://domain.test.dev.attacker.org/ 

in the return_to parameter and logged in, the application accepted it and redirected me straight to that domain, confirming the validation can be bypassed as long as the required string is present.

I repeated the test with another variation using a fully attacker-owned domain like

https://domain.test.devattacker.org/, 

and the application still allowed the redirect after login, even though this domain has no relation to the legitimate service.

To further validate the impact, I confirmed that domains like devattacker.org are publicly available for registration, meaning an attacker can easily purchase them and configure subdomains such a domain.test.devattacker.org to host malicious contents / or carry our further targeted attacks.