darkly/open_redirect

Open redirect

How We Found It

On the footer, there is buttons to go to the twitter, instagram and facebook page of 42. to redirect the links in the href are ?page=redirect&site=<service>. so we tried changing the site to something else and got a flag

Utility of It

• Allows attackers to redirect users to arbitrary URLs.
• Can be used for phishing, token theft, or triggering unexpected behavior (like flag reveals in CTFs).
• Often underestimated but can be chained with other bugs.

How Can We Patch It

• Only allow redirects to a whitelisted set of domains.
• Don’t take the redirect target directly from user input.
• Consider showing a confirmation page before redirecting.