Unvalidated redirects in authentication flows can enable XSS attacks where malicious JavaScript is injected into redirect URLs. An attacker can craft a base64-encoded state parameter containing JavaScript code that executes during login, potentially stealing JWT tokens, localStorage data, and cookies. The vulnerability occurs when redirect URLs are not sanitized before being assigned to window.location.href. Mitigation strategies include implementing domain allowlists, using temporary authorization codes instead of passing tokens in URLs, validating redirect URLs against javascript: protocol, and detecting token reuse attempts.
Table of contents
The ScenarioExpected BehaviourOverview Of XSS Vulnerability In RedirectionReal World DemonstrationAvoid XSS Vulnerability In RedirectionSort: