Is it safe to redirect to an url like so: "https://example.com/" + userData?

As mentioned in the comments this scenario doesn't seem to be exploitable with the javascript: (or data:, which can also be used to execute JavaScript) pseudo protocol. However, it may be possible to perform a reflected XSS attack, if example.com outputs userData on a custom 404 page. Lets assume that this page displays an error message:

<h1>Page 'userData' not found.</h1>

In this case, if an attacker submits a JavaScript payload (eg: <script>alert('xss');</script>), it will be rendered on the page,

<h1>Page '<script>alert('xss');</script>' not found.</h1>  

and the code may be executed by a visitor. This attack can be prevented by filtering the user data - user input should always be sanitized anyway.

An open redirect exploit does not seem very likely because the user input is appended to the domain, and exploit attempts should result in a 404 response. Of course, if there are other local pages that allow any redirects, then an attacker could use them in their payload, eg:

vulnerable/page?url=http://attacker.com

Note that just because I can't confirm an exploit that doesn't mean that the code isn't vulnerable, depending on the server configuration. We can prevent open redirect exploits by filtering user data based on a list of valid and trusted locations. This may also help with several other attacks targeting the server, such as directory traversal, file inclusion and server side request forgery attacks.


  1. This may be point for phishing attack

Attacker may send email pretending to be mail from your site and inject the link alike (I assume “jumper.php” is a page that has single url parameter with target url, that may contain user data):

To verify your account please follow this link: http://example.com/jumper.php?url=http%3A%2F%2Fexample-my.com

In that case, user will see in the mail link started with http://example.com and may assume that this is valid link to your site, but actually he will be redirected to http://example-my.com that may be controlled by attacker (and looks much like your site).

  1. In some cases, people are using javascript for redirection

If page contains code like this (php example):

<script>location.replace(<?= json_encode($userData) ?>);</script>

Then, even variable is properly sanitized, attacker may execute arbitrary javascript code in context of http://example.com with redirection to javascript:.... For example:

To verify your account please follow this link: http://example.com/jumper.php?url=javascript%3Aalert%28document.cookie%29

In that case, redirection will transform to

<script>location.replace("javascript:alert(document.cookie)");</script>

and code javascript:alert(document.cookie) (as example) will be executed in context of http://example.com. Sure, attacker may do much more poverfull things with injection arbitrary javascript code code.


Let assume that the redirection code is done via adding looks like this (php example): header("Location: http://example.com/".$userData);

Since $userData is not encoded in any way, in fact attacker may obtain access to http response generated by the server. For example $userData may contain something alike:

"somepage.php\r\nattacker-header:some value\r\n\r\nattacker page body with JavaScript"

While most of http libraries (including php starting from 5.1.4 AFAIK) prevents this kind of header injection attack and will generate error, some old instruments may be vulnerable.