← vuln-lab catalog

Client-side Open Redirect

The next query parameter is assigned directly to location with no allowlist, so ?next=https://evil… bounces the victim off-site. (The server-side twin is /api/redirect.)

(no redirect target)

Trigger: /redirect/?next=https://evil.vuln-lab.test

Detected by: browser_cdp_js_redirection_trace, browser_cdp_open_redirect_test