---
title: URL Redirects Must Be In Allow List
impact: LOW
impactDescription: prevents open redirect vulnerabilities
tags: redirect, url, allow-list, validation, security, php
---

## URL Redirects Must Be In Allow List

Open redirect vulnerabilities allow attackers to redirect users to malicious sites, often used in phishing attacks. This occurs when an application takes a URL as input and redirects the user to that URL without proper validation.

**Incorrect (unvalidated redirect URL):**

```php
// Open redirect vulnerability
$url = $_GET['url'];
header("Location: " . $url); // Attacker: ?url=https://malicious-site.com
exit;

// Partial validation (can be bypassed)
if (strpos($_GET['url'], 'example.com') !== false) {
    header("Location: " . $_GET['url']); // Bypass: https://attacker.com?example.com
    exit;
}
```

**Correct (allow list validation):**

```php
// 1. Using an allow list of hosts
$url = $_GET['url'] ?? '/';
$parsed = parse_url($url);
$allowedHosts = ['example.com', 'sun-asterisk.vn'];

if (isset($parsed['host'])) {
    if (!in_array($parsed['host'], $allowedHosts)) {
        header("Location: /error?msg=Invalid+Redirect");
        exit;
    }
}

// 2. Ensuring relative redirect only
if (strpos($url, '/') === 0 && strpos($url, '//') !== 0) {
    // This is a relative path starting with / but not // (which is an absolute URL)
    header("Location: " . $url);
    exit;
}

// 3. Using Laravel's safe redirect
return redirect()->away($url); // If host is trusted, or:
return redirect()->intended('/dashboard'); // Safer
```

**Protection strategies:**
1. Maintain an allow list of trusted domains.
2. Force redirects to be relative URLs (starting with a single `/`).
3. Always validate the host part using `parse_url()`.
4. Use framework-specific security helpers (e.g., Laravel's `redirect()`).

**Tools:** SonarQube (S5144), Semgrep, PHPStan, Manual Review