## WAST RedirectScanner Hardcodes 'evil.com', Flooding Real Domain with Uncontrolled Traffic
The WAST security scanner's RedirectScanner module is hardcoded to send all its test traffic to the real, publicly registered domain 'evil.com'. This design flaw forces every scan to generate live DNS lookups and HTTP redirect attempts to a third-party host outside the project's control, creating an uncontrolled external traffic stream. The detection logic compounds the problem by triggering a vulnerability alert if the substring 'evil.com' appears anywhere in a server's redirect response, even within legitimate contexts like documentation links or error pages, guaranteeing false positives.

The issue is rooted in the `pkg/scanner/redirect.go` file, where all 16 open-redirect test payloads specify 'evil.com' as the immutable target. The function `isRedirectToPayload` (line 639) confirms a finding with a simple string containment check (`strings.Contains(location, payload.Target)`). This means a server redirecting to a URL like `https://notevil.com/` or including `?ref=evil.com` in a query parameter would be incorrectly flagged as vulnerable, undermining the scanner's accuracy.

This stands in stark contrast to the project's own SSRFScanner, which correctly implements a configurable canary domain system using unique callback IDs generated via `callbackS`. The RedirectScanner's current implementation not only risks polluting scan results with false alarms but also ethically and operationally binds the project to an external domain it does not own or manage, exposing it to potential abuse or sudden domain unavailability.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security-scanner, open-redirect, false-positive, code-vulnerability, traffic-leak
- **Credibility**: unverified
- **Published**: 2026-04-01 11:27:20
- **ID**: 45236
- **URL**: https://whisperx.ai/en/intel/45236