What is the purpose of (ab)using the redirect page of my website for dubious URLs?

Assuming that people trust your site, abusing redirections like this can help avoid spam filters or other automated filtering on forums/comment forms/etc. by appearing to link to pages on your site. Very few people will click on a link to https://evilphishingsite.example.com, but they might click on https://catphotos.example.com?redirect=https://evilphishingsite.example.com, especially if it was formatted as https://catphotos.example.com to hide the redirection from casual inspection - even if you look in the status bar while hovering over that, it starts with a reasonable looking string.

The main risks are to your site reputation (it's more likely to get black listed by filtering services if they spot dubious traffic being accessed through it) and to people following these links (who knows what is actually on the other site you're sending them to). It's unlikely to result in compromise of your server directly.


If you have a login page on your site, the bad guys could have used your open redirect to make a more successful phishing page for your users.

From https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet

Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access.


The crux is that using your redirect leverages the good name of your business to get someone to click on the malicious link.