You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This pull request addresses a security vulnerability where the next parameter on the login endpoint (/user/login) could be manipulated to redirect users to an attacker-controlled external domain (e.g., https://evil.com). This behavior enables open redirect attacks, which can be exploited in phishing campaigns and lead to credential theft, token leakage, or user impersonation.
🐞 Vulnerability Details
Type: Open Redirect
Severity: Medium
CVSS Score: 6.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Affected Endpoint: /user/login/?next=https://evil.com
Proof of Concept:
https://app.aixblock.io/user/login/?next=https://evil.com
After authentication, users are redirected to the external domain without validation. This violates the principle of safe redirection and exposes users to phishing risks.
✅ Fix Details
The following changes were implemented:
Validated the next parameter:
Ensured it is a relative internal path.
Rejected values starting with http://, https://, or //.
Fallback to a default internal route (e.g., /dashboard) if the next value is invalid or unsafe.
🛡 Expected Behavior
After this fix:
Users will only be redirected to internal routes (e.g., /projects, /settings).
Any attempt to redirect to an external domain is blocked, and the user is instead taken to a safe default route.
🚨 Impact Before Fix
Phishing: Malicious links could redirect users to attacker-controlled login pages.
Trust Erosion: The platform's domain can be misused in phishing campaigns.
Token Exposure: If session tokens were passed in URLs, they could be exfiltrated.
🧪 Testing
✅ Confirmed that redirection now only works with relative internal paths.
✅ URLs starting with http://, https://, or // are ignored or redirected to /dashboard.
✅ Manual testing done on:
Firefox 132
Chrome 137
Visual Reference
ai-op.mp4
Recommendation Implemented
Input validation on the next parameter.
Safe redirect fallback.
Prepared for additional enhancements like interstitial warning or redirect whitelisting if needed.
Please review and let me know if you’d like to see CSP header additions or redirect interstitials as part of a separate patch.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
🔐 Fix: Prevent Open Redirect via next Parameter on Login Endpoint
Closes: #54
📌 Summary
This pull request addresses a security vulnerability where the next parameter on the login endpoint (/user/login) could be manipulated to redirect users to an attacker-controlled external domain (e.g., https://evil.com). This behavior enables open redirect attacks, which can be exploited in phishing campaigns and lead to credential theft, token leakage, or user impersonation.
🐞 Vulnerability Details
After authentication, users are redirected to the external domain without validation. This violates the principle of safe redirection and exposes users to phishing risks.
✅ Fix Details
The following changes were implemented:
🛡 Expected Behavior
After this fix:
🚨 Impact Before Fix
🧪 Testing
Visual Reference
ai-op.mp4
Recommendation Implemented
Please review and let me know if you’d like to see CSP header additions or redirect interstitials as part of a separate patch.
Thanks!
Beta Was this translation helpful? Give feedback.
All reactions