Open Redirect DOM Based Attacks

Open Redirect DOM Based Attacks

By Rohit Gautam
Open Redirect DOM Based Attacks

Summary: Open Redirect DOM Based Attacks refer to a web security vulnerability where an attacker manipulates the Document Object Model (DOM) to redirect users to malicious or unintended URLs. By exploiting this vulnerability, attackers can manipulate client-side scripts to modify the DOM and redirect users to phishing sites, malicious downloads, or perform other unauthorized actions.

Severity: Medium

Attack Vector: Remote

Complexity: Medium

Impact: By successfully exploiting Open Redirect DOM Based Attacks, attackers can deceive users, steal sensitive information, distribute malware, conduct phishing attacks, or perform other unauthorized actions under the guise of a trusted website.

Affected IP Address:

Port: 443

Steps to Reproduce:

1. Identify the target web application vulnerable to Open Redirect DOM Based Attacks.
2. Analyze the client-side code, JavaScript, or other scripting languages used in the application.
3. Look for user-controlled input or parameters that influence redirection logic or modify the DOM.
4. Craft malicious input or URL fragments that can manipulate the DOM and modify the redirection behavior.
5. Inject the crafted input into the vulnerable parameter or component and observe the redirection behavior to the attacker-controlled URL.


To mitigate Open Redirect DOM Based Attacks, consider the following recommendations:
1. Implement proper input validation and sanitization to prevent the injection of malicious input that can modify the DOM.
2. Utilize secure coding practices to avoid client-side vulnerabilities like Cross-Site Scripting (XSS) that can lead to DOM manipulation.
3. Implement a Content Security Policy (CSP) to restrict the execution of untrusted scripts and prevent unauthorized DOM modifications.
4. Regularly update and patch client-side frameworks, libraries, and components to address any known security vulnerabilities.
5. Educate developers about the risks and best practices related to DOM-based attacks and secure coding techniques.


1. OWASP - DOM-based Cross-Site Scripting (DOM XSS): 
2. PortSwigger - DOM-based Open Redirect: DOM-based open redirection | Web Security Academy (

Proof of Concept:

Please refer to the attached screenshot or video for a visual demonstration of an Open Redirect DOM Based Attacks vulnerability.