Open Redirect
Open Redirect (also known as Unvalidated Redirects and Forwards) occurs when a web application accepts user-supplied input and redirects the user to an arbitrary URL without proper validation.
Last updated
Was this helpful?
Open Redirect (also known as Unvalidated Redirects and Forwards) occurs when a web application accepts user-supplied input and redirects the user to an arbitrary URL without proper validation.
Last updated
Was this helpful?
Become VeryLazyTech ! π
Follow us on:
β Twitter .
πΎ Github .
π Medium .
πΊ YouTube .
π© Telegram .
π΅οΈββοΈ My Site .
Visit our for e-books and courses. π
Open Redirect (also known as Unvalidated Redirects and Forwards) occurs when a web application accepts user-supplied input and redirects the user to an arbitrary URL without proper validation.
Burp Proxy history & Burp Sitemap (look at URLs with parameters)
Google dorking. E.g: inurl:redirectUrl=http site:target.com
Functionalities usually associated with redirects:
Login, Logout, Register & Password reset pages
Change site language
Links in emails
Read JavaScript code
Bruteforcing
Look for hidden redirect parameters, for e.g.:
/redirect?url={payload}&next={payload}&redirect={payload}&redir={payload}&rurl={payload}&redirect_uri={payload}
/?url={payload}&next={payload}&redirect={payload}&redir={payload}&rurl={payload}&redirect_uri={payload}
HTTP redirect status codes
Alert box popping up
Try using the same parameter twice: ?next=whitelisted.com&next=google.com
Try a double-URL and triple-URL encoded version of payloads
For XSS, try replacing alert(1) with prompt(1) & confirm(1)
If extension checked, try ?image_url={payload}/.jpg
Try target.com/?redirect_url=.uk (or [any_param]=.uk). If it redirects to target.com.uk, then itβs vulnerable! target.com.uk and target.com are different domains.
Use /U+e280 RIGHT-TO-LEFT OVERRIDE: https://whitelisted.com@%E2%80%AE@moc.elgoog
The unicode character U+202E changes all subsequent text to be right-to-left
Many applications use redirection parameters like:
If these parameters are processed without validation, they might be vulnerable.
Check URL parameters β Look for redirect-related keywords in URLs.
Analyze HTTP responses β Look for 302 Found or 301 Moved Permanently responses.
Check developer console (F12) and network traffic β Inspect redirects.
Modify the URL and inject external domains:
Using Burp Suite's Intruder to fuzz redirection parameters.
Using tools like Oralyzer:
If an application blindly trusts user input, you can redirect a victim to a malicious website:
or use encoded URLs:
If an application allows redirection to localhost:
It can be used to:
Redirect an admin panel login to an internal resource.
Exploit internal APIs (in SSRF attacks).
Some applications attempt to restrict external domains but allow different URL formats:
//evil.com is a shorthand for https://evil.com.
@trusted.com is ignored by some browsers.
Some browsers allow JavaScript-based redirects if improperly filtered.
or bypassing javascript filters:
Some applications allow uploading SVG files that can trigger JavaScript execution:
If the website automatically loads SVG files, the redirection will be triggered.
Attackers can craft realistic-looking URLs to trick users:
Users might not notice the difference and enter their credentials.
Run the tool:
Only allow whitelisted domains for redirection:
Instead of:
Use:
Ensure the redirect URL starts with a trusted domain:
.Net
Java
PHP
If periods filtered, use an IPv4 address in decimal notation
Try redirecting to an IP address (instead of a domain) using : IPv6, IPv4 in decimal, hex or octal
E.g.:
GitHub:
Learn & practice
Become VeryLazyTech ! π
β Twitter .
πΎ Github .
π Medium .
πΊ YouTube .
π© Telegram .
π΅οΈββοΈ My Site .
Visit our for e-books and courses. π