Skip to content

Open Redirect on Clusterfuzz.com #5168

New issue
New issue
Open
Open
Open Redirect on Clusterfuzz.com#5168
@Lundrim23

Description

@Lundrim23
Lundrim23
opened on Feb 19, 2026

Summary
While this might not be as the other bugs and issues reported in github, I discovered an Open Redirect vulnerability on the ClusterFuzz web application affecting both the login and logout endpoints.

Definition
An open redirect is a web vulnerability occurring when an application takes user-supplied input to a URL parameter and redirects the user to that destination without validation. Attackers exploit this to lure victims to malicious websites via a trusted domain, often for phishing, stealing credentials, or bypassing security controls.

Details
I identified that the application endpoint /login and /logout accepts a dest= parameter but fails to validate that the destination is within the application domain. This allows an attacker to construct a URL that automatically redirects users to an external site.
The following request demonstrates the use of a scheme-relative URL to bypass simple protocol check and force a redirection.

Request

GET /logout?csrf_token=[TOKEN]&dest=https://evil.com/ HTTP/2
Host: clusterfuzz.com
Cookie: [REDACTED]
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36
Sec-Gpc: 1
Referer: https://clusterfuzz.com/logout?csrf_token=[TOKEN]=https%3A%2F%2Fclusterfuzz.com%2F

Response

HTTP/2 302 Found
Content-Type: text/html; charset=utf-8
Location: https://evil.com/
X-Cloud-Trace-Context: 09007cabcd50c1e3c2e0eeba9e058132
Content-Length: 221

<!doctype html>
<html lang=en>
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to the target URL: <a href="https://evil.com/">https://evil.com/</a>. If not, click the link.

Impact
An attacker can craft a convincing phishing link that leverages the trusted clusterfuzz.com domain. When a victim clicks the link, they are briefly routed through the legitimate application before being seamlessly redirected to a malicious page controlled by the attacker

Affected Locations
URL(s)

  • https://clusterfuzz.com/login
  • https://clusterfuzz.com/logout
    • dest= Parameter

Recommendations
To remediate the issue, i recommends the following actions:

  • Avoid User Input for Routing: If possible do not use user-supplied URLs for redirects. Instead use an internal identifier mapped to a safe URL on the server side.
  • Implement an Allowlist: If dynamic redirection is strictly necessary validate the destination parameter against a strict allowlist of trusted domains or relative paths.

Additional Resources
OWASP Cheat Sheet Series - Unvalidated Redirects and Forwards Cheat Sheet
https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions