Expected Findings
- `next` parameter is used as the Location header without host validation.
- Protocol-relative URLs are accepted.
- Marketing email templates use the same parameter, exposing real users.
Login Flow
Open Redirect
The post-login redirect honors the `next` parameter without validating its host, making any attacker URL look like a legitimate landing page.
Redirect probe
Primary Flows
- Phish redirect Sends user to evil.test
- JS-style payload Some browsers still navigate
Signals
Code
w.Header().Set("Location", r.URL.Query().Get("next"))