Open Redirect in openwhyd/openwhyd


Reported on

Dec 5th 2021


This vulnerability was discovered in Here by @mdakh404. However, it is not patched properly and I bypassed with a simple trick.

      r.html = mainTemplate.renderWhydPage(r);
    // call the adequate renderer
-    if (r.redirect) response.redirect(r.redirect);
+    if (r.redirect) response.safeRedirect(r.redirect);
    else if (r.html) response.renderHTML(r.html);
    else response.renderJSON(r);
    // and track visit to that page

First, I checked how it was patched. When I checked the patch, I could see that when redirecting in consent.js, the redirect() method was replaced with the safeRedirect() method.


+ // TODO: this function is overrided by Express => delete it to prevent ambiguity
 http.ServerResponse.prototype.redirect = function (url) {
   return this.renderHTML(loggingTemplate.htmlRedirect(url));

+ http.ServerResponse.prototype.safeRedirect = function (url) {
+   const fullURL = new URL(url, config.urlPrefix);
+   if (!fullURL.toString().startsWith(config.urlPrefix)) return this.forbidden();
+   this.redirect(url);
+ };
 http.ServerResponse.prototype.redirectWithTracking = function (url, title) {
   return this.renderHTML(
     loggingTemplate.renderRedirectPageWithTracking(url, title)

The safeRedirect() method has been added to logging.js. However, Look at the safeRedirect() method, you can see that it is flawed...

+ if (!fullURL.toString().startsWith(config.urlPrefix))

Look at the conditional statement! Parse the value of url using the URL() constructor, and put it as a fullURL variable. After that, Look at the if statement, the default value of fullURL is converted to a string and used and compared with the urlPrefix value. The default value of the URL() modifier is href , not the origin, host, or hostname values.

Look at the picture above. A flaw can be circumvented using a simple trick. Need to use origin, host, hostname to validate the url!

Proof of Concept

1. Open the
2. If you click the button after agreeing to the terms and conditions, you will be redirected to Google.


Open Redirect can do additional damage by redirecting you to a malicious site.

We are processing your report and will contact the openwhyd team within 24 hours. a year ago
Pocas modified the report
a year ago
We have contacted a member of the openwhyd team and are waiting to hear back a year ago
We have sent a follow up to the openwhyd team. We will try again in 7 days. a year ago
Pocas modified the report
a year ago
Pocas modified the report
a year ago
Pocas modified the report
a year ago
Adrien Joly validated this vulnerability a year ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
Adrien Joly
a year ago

Good catch, thanks for submitting! I'm working on a fix: Feedback is welcome.

a year ago


Confirmed patch commit! It's a good patch!

Adrien Joly marked this as fixed in 1.45.3 with commit 387079 a year ago
Adrien Joly has been awarded the fix bounty
This vulnerability will not receive a CVE
Adrien Joly
a year ago

Can you assign a CVE to a researcher?

Jamie Slome
a year ago


@adrienjoly - sorted! ♥️

to join this conversation