← LibraryTechnique entry
W-OPEN-REDIRECTInitial Access
Open Redirect
Unvalidated redirect_uri / next / returnUrl parameter — used as a phishing aid or to leak OAuth tokens.
§ Where this technique fits
W-OPEN-REDIRECT is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 4 on average.
§ Dossiers chaining this technique
- step 3 / 8
OAuth redirect_uri misconfig → account takeover
Provider accepts loose redirect_uri matching (wildcard, partial, open-redirect chain). Steal the authorization code by redirecting it through an attacker host.
- step 5 / 7
Subdomain takeover → cookie theft → account takeover
Dangling CNAME on a corporate subdomain (e.g. mail.target.com → unclaimed Heroku app). Claim it, serve a malicious page, harvest session cookies scoped to *.target.com.
§ What commonly comes next
- 01OAuth — redirect_uri Misconfigseen 1×W-OAUTH-MISCONFIG · Credential Access
- 02Steal Web Session Cookieseen 1×T1539 · Credential Access