Open Redirect

A login flow takes a ?next= query param and redirects after auth. Attacker sets ?next=https://evil.com/phish; the redirect happens through your trusted domain. Arcis ships validateRedirect with a strict whitelist.

What it catches

Absolute URLs to external hosts
Protocol-relative URLs: //evil.com/path
javascript:, data:, vbscript: scheme
Backslash bypass: /\evil.com
Control character bypass: %0d, %0a in the URL
Authority confusion: https://your-domain.com.evil.com

Sample

import { validateRedirect } from '@arcis/node';

const safe = validateRedirect(user_next, {
  allowedHosts: ['app.example.com', 'admin.example.com'],
  allowRelative: true
});

if (safe.isValid) res.redirect(safe.url);
else res.redirect('/');  // fall back to safe default

References

OWASP Unvalidated Redirects
CWE-601

← PreviousSSRF Next →Header Injection