Do (Not) Follow the White Rabbit: Challenging the Myth of Harmless Open Redirection
Soheil Khodayari
Network and Distributed System Security (NDSS) Symposium 2025 · Day 3 · Web Exploitation
This talk, presented by Gianluca Golinelli on behalf of authors Sel Kai and Gian Carlo, challenges the long-held industry belief that **open redirect vulnerabilities** are relatively harmless. Traditionally, these vulnerabilities, which allow an attacker to redirect a user from a legitimate site to an arbitrary malicious URL, have been deprioritized in security assessments and bug bounty programs. The research presented in this paper, titled "Do (Not) Follow the White Rabbit," argues that this perception is outdated and dangerous, especially with the modern web's increasing reliance on client-side JavaScript for handling redirections.
AI review
Legitimate academic research that rehabilitates open redirect from 'won't fix' territory with real data — 1M pages, 21K confirmed vulns, 184 indicators, measurable escalation rates. Solid empirical work, but the core insight (javascript: scheme in a redirect parameter → XSS) isn't new to anyone who's done web sec seriously, and the paper's contribution is more measurement than novel attack primitive.