AntiPattern
Client-Controlled Redirects Abuse
client-controlled-redirects-spoofed-paystate
Client-controlled redirect parameters (success_url/cancel_url) and attacker-influenced return URLs allow spoofed paystate or misrouted payment flows, so the app can wrongly treat a redirect as proof of payment or complete a transaction on the wrong endpoint.