Unvalidated redirects in authentication flows can enable XSS attacks where malicious JavaScript is injected into redirect URLs. An attacker can craft a base64-encoded state parameter containing JavaScript code that executes during login, potentially stealing JWT tokens, localStorage data, and cookies. The vulnerability occurs
Table of contents
The ScenarioExpected BehaviourOverview Of XSS Vulnerability In RedirectionReal World DemonstrationAvoid XSS Vulnerability In RedirectionSort: