Open Redirect Checker — URL Parameter Testing
Probe common redirect query parameters for unsafe external Location headers
How to Use This Tool
- Enter the URL of a page with redirect functionality — include existing query string if needed.
- Checker iterates common parameter names: url, redirect, next, return, goto, dest, and variants.
- Each test appends encoded safe external URL to the parameter.
- HTTP fetch uses redirect manual mode to capture Location header without following.
- vulnerable true when any Location header contains the test external host.
About This Tool
Open redirect vulnerabilities let attackers craft trusted-domain links that bounce victims to phishing sites. VSPIC open redirect checker takes your base URL and appends common redirect parameter names with a safe external test URL, then inspects HTTP Location headers without following redirects to see if the evil destination appears.
Results list each parameter tested, constructed test URL, whether redirect matched the external target, and captured Location value. A vulnerable flag summarizes if any parameter exposed unsafe redirection behavior.
Common use cases
- •Measure download and upload speed
- •Test open ports on a home router or server
- •Trace routing paths to diagnose latency
Understanding open redirect risk
Users trust links on familiar domains. If login.example.com/redirect?url=https://evil.example.com/phish sends Location to evil, attackers embed the trusted link in emails bypassing naive domain blocklists.
OAuth and SSO flows with return URL parameters are frequent vulnerability locations — this tool screens common parameter names quickly.
Parameters we test
url, redirect, next, return, returnUrl, goto, dest, destination, redir, and target cover many framework conventions. Custom parameter names may require manual testing beyond automated coverage.
Safe test URL design
We use a reserved evil.example.com pattern — not a real phishing site — to detect redirect intent without harming users. Manual redirect mode prevents actually loading external content server-side beyond header inspection.
False positives and negatives
Some apps redirect only when session cookies present — unauthenticated tests miss vulnerable branches. JavaScript redirects without HTTP Location headers evade this checker entirely.
Strict allowlists that reject unknown hosts show safe results even when loose redirect logic exists in un tested parameters.
Remediation guidance
Validate redirect targets against allowlist of relative paths or registered domains. Reject absolute external URLs unless explicitly approved. Use signed return tokens instead of raw URL parameters.
Bug bounty and audit workflows
Paste suspicious login and logout URLs during reconnaissance phase. Export JSON for findings reports with per-parameter evidence tables.
Relationship to SSRF protections
Our fetch layer blocks internal network targets from open redirect tests themselves — your submitted base URL must be public. This prevents abusing the tool as SSRF proxy while still testing your app's redirect logic.
OAuth-specific considerations
redirect_uri parameters in OAuth require exact registered match — different from generic open redirect but worth manual review alongside this automated scan.
Logging and rate limits
Each parameter triggers one HTTP request. Large campaigns against third-party sites without permission may violate terms — test only assets you own or have authorization to assess.
Combining with other security tools
Pair with malware URL scanner when investigating where redirects ultimately land if followed. Security headers checker confirms broader transport security on same host.
Frequently Asked Questions
Yes. VSPIC offers this open redirect checker at no cost with no account required. Results load in real time.
We do not permanently store your queries on our servers. Some tools run entirely in your browser; others fetch public data for the request only.
Yes. Open the page in any modern phone or tablet browser. Results work on Wi‑Fi and mobile data.
No. redirect manual captures first Location header only.
It is a safe test pattern string — we detect if Location includes that host.
No. Only HTTP Location header redirects are tested.
Yes on systems you own. Get authorization before testing third-party sites.
vulnerable false — but untested parameters or authenticated flows may still be risky.
Eleven common redirect parameter names are probed automatically.
Next step for your check
Continue with security headers checker on VSPIC.
Related Tools
Explore more free VSPIC tools for IP, DNS, security, and network diagnostics.
Security Headers Checker
HSTS, CSP grade A–F, per-header score, full header map
Use Free →Malware URL Scanner
URL reputation scan — single or batch, phishing & malware signals
Use Free →CORS Checker
Check allowed origins, methods, and headers
Use Free →Speed Test
Measure download, upload, ping, and jitter for your connection
Use Free →Ping Test
Measure latency to any hostname or IP address
Use Free →Port Checker
Test if common ports are open on a host
Use Free →
Trusted by Users Who Value Privacy
Always Free
No premium plan ever
100% Private
Files processed in browser
Instant Results
Convert in seconds
Works Everywhere
Any device, any OS