Hey Javier,

Glad you found it helpful.

1. Any website that lets an attacker influence the destination it would redirect the user to, is a candidate.

Merely having an external link on your website is no problem.

But if you are using, say, GET parameters to get the destination you'd redirect the user to ( e.g. http://yoursite.com/?redirectTo=example.com ) then you better validate the parameter ("redirectTo" in this example) properly before blindly trusting it contains a harmless domain that your site will redirect the user to.

2. Many ways. Not really .htaccess or server configuration. Rather the same code that is redirecting the user can be tailored to validate if the destination being provided (e.g. via the URL GET parameter) would lead to your domain only, or one of the domains you're okay with. If the parameter contains any other domain, you can either decide to not redirect the user at all, or give out a warning.

For example, look at the HackerOne link below. When redirecting to an external link via a GET parameter ("ur;"), it gives you a warning:


^ In HackerOne's case it's difficult to change the "url" parameter to anything of your choice because not only it gives the end-user a warning, the "signature" field has a hash value based on the URL (and a possible secret in use) preventing changes to the parameter.

Security Researcher | Tech Columnist | https://hey.ax

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store