Time Remaining4:00
mediumSecurityExpress

The open redirect

A developer asked an AI assistant to redirect users back to the page they came from after logging in, using a 'next' query parameter. The suggested code works for normal navigation, but it also lets attackers craft login links that silently send victims to a phishing site right after they authenticate.

authCallback.js
app.get('/login/callback', (req, res) => {
  const redirectTo = req.query.next || '/dashboard';
  authenticateUser(req, () => {
    res.redirect(redirectTo);
  });
});

What's the risk in a link like /login/callback?next=https://evil-lookalike.com/login ?

Open redirect — redirectTo comes straight from an unvalidated query parameter, so an attacker can send a legitimate login link that redirects victims to a phishing site right after they authenticate.
authenticateUser runs after the redirect, so the user is never actually logged in.
req.query.next is undefined unless the request uses POST instead of GET.
res.redirect only accepts relative paths, so the external URL is ignored automatically.