Open redirects work because there is vulnerable code at the backend that is not validating the information entered by the user to create the redirection. For example, here is the first redirection we mentioned:

https://www.testsite.com?r=https://www.newsite.com 

It is controlled by the following code:

$r = $_GET['url']; 
header("Location: " . $r); 

As you can see, the code does not have any control over the information that is entered in the URL. Like the other flaws we have seen in this book, open redirects are due to a lack of input validation.