OPEN redirects remain a notable vulnerability, highlighted by OWASP’s history of listing “Unvalidated Redirects and Forwards” in 2010 and merging it into “Sensitive Data Exposure” in 2013. The vulnerability can be subtle: a user receives a 3xx redirect and ends up at a destination that may bypass authentication and access controls if the redirect URL is trustingly supplied.
According to recent observations, honeypots have seen a rise in scans targeting redirect-related URLs such as /continue?url=, /redirect?url=, /away?url=, /goto?url=, and /jump?url=, all directing to http://testdomain[.]com. Most of the activity originates from a single IP address, 89.248.168[.]239, registered to AS202425, IP Volume, a company in the Seychelles commonly described as a “bulletproof” hoster due to its relaxed abuse policy.
The author notes that a block of AS202425 may still be advisable, referencing coverage in the New York Times. These findings come as the security community watches redirect flows closely, given their increased relevance with the ubiquity of OAuth and its reliance on redirect URLs.