FirstBlood-#1406Open redirect
This issue was discovered on FirstBlood v3

On 2022-12-09, lumbridge7 Level 4 reported:

Hello firstblood team!


The endpoint /book-appointment.html and /about.html automatically redirects to a php page.

  • book-appointment.html -> book-appointment.php
  • about.html -> about.php

If we intercept this request to analyse the source code of the html file we can see a script setting the top.location to the parameter redirect_url

this is the script at the source code:

    var curUrl =;
    var params = new URLSearchParams(curUrl);
    var redirect_url = params.get('redirect_url');

    if (redirect_url == null) {
    } else {

based on that I tried to see if it would accept any random url to exploit an open redirect by appending ?redirect_url= to the url and it worked! it redirects to

Steps to reproduce

  1. access the url
  2. you'll be automatically be redirected to


To avoid the open redirect vulnerability, parameters of the application script/program must be validated before sending 302 HTTP code (redirect) to the client browser. Implement safe redirect functionality that only redirects to relative URI's, or a list of trusted domains

P5 Informative

Endpoint: /book-appointment.html, /about.html

Parameter: redirect_url

Payload: redirect_url=

Even though this issue has been accepted as valid, no FirstBlood ID has been set for this report.

Report Feedback


Creator & Administrator

Hi there, more than open url redirect was possible on this endpoint (such as XSS via the Javascript URI), so this report will be accepted as informative