Chaining open redirect with DOM XSS is such a classic yet powerful attack vector. What makes this especially interesting is how the open redirect — often dismissed as low severity — became the entry point for a full account takeover. This is a great reminder that vulnerability chaining is where the real impact lies. Did the VDP have any specific scope limitations on redirect-based findings, or was the XSS chain what elevated it to high severity?
AM
Archit Mittal
I Automate Chaos — AI workflows, n8n, Claude, and open-source automation for businesses. Turning repetitive work into one-click systems.
Chaining open redirect with DOM XSS is such a classic yet powerful attack vector. What makes this especially interesting is how the open redirect — often dismissed as low severity — became the entry point for a full account takeover. This is a great reminder that vulnerability chaining is where the real impact lies. Did the VDP have any specific scope limitations on redirect-based findings, or was the XSS chain what elevated it to high severity?