An open redirect happens when an app takes a user-controlled URL (often a redirect, next, returnUrl or url parameter) and sends the browser there without validating the destination. Attackers abuse it to bounce victims from a trusted domain to an attacker-controlled site, powering convincing phishing, OAuth token theft, and SSRF chains.
The Open Redirect generator produces classic bypass tricks: protocol-relative URLs like //evil.com, backslash confusion such as /\evil.com and https:/\evil.com, the @ trick (https://[email protected]), and whitelist tricks like evil.com#trusted.com or evil.com?trusted.com. These defeat naive startsWith() and substring allowlist checks.
If a redirect_uri or post-login next parameter is not strictly matched, an attacker can register a malicious return URL and exfiltrate the authorization code or token in the URL fragment or query. This turns a low-severity redirect into account takeover, which is why allowlists must be exact-match, not prefix or substring checks.
Yes. Like every Payload Playground tool it is completely free and runs 100% in your browser, so nothing you type is ever sent to a server. Only use the generated payloads against applications you own or are explicitly authorized to test.