Vulnerability Key Information Vulnerability Summary Issue: The function contains a logical flaw that allows attackers to bypass domain validation by using excessive leading slashes (e.g., ), resulting in users being immediately redirected to an external malicious site after successful login. Vulnerability Type: CWE-601: URL Redirection to Untrusted Site ('Open Redirect'). Target Information Project: mwielpiszewski/doorman Version: 9a9b97c814625fcdd281b55c82177c9f777c5526 (Current Master) Vulnerable File: doorman/users/views.py Vulnerable Function: Vulnerability Details Vulnerable Function: Bypass Payload: Technical Analysis Root Cause: Inconsistency between server-side (Python) and client-side (modern browsers) URL parsers when interpreting redundant slashes. Server-side Behavior (Python/Flask): When processing the payload, Python’s treats multiple leading slashes as path segments rather than a new authority/domain. Client-side Behavior (Browser): According to the WHATWG URL Standard, browsers "collapse slashes", ignore the original domain, and navigate directly to the target URL. Reproduction Steps (PoC) Requirement: Test using the original implementation in a Flask environment. Test Cases Test Case 1 (Blocked Successfully): Access → Result: Access blocked (correct). Test Case 2 (Bypass): Access → Result: 302 redirect issued. Observation Results Browser navigates away from the local application and loads .