Open Redirect

Basic info - Open Redirect

Open Redirect (also known as Unvalidated Redirects and Forwards) occurs when a web application accepts user-supplied input and redirects the user to an arbitrary URL without proper validation.

How to find entry points to test?

• Burp Proxy history & Burp Sitemap (look at URLs with parameters)

• Google dorking. E.g: inurl:redirectUrl=http site:target.com

• Functionalities usually associated with redirects:

  • Login, Logout, Register & Password reset pages

  • Change site language

  • Links in emails

• Read JavaScript code

• Bruteforcing

  • Look for hidden redirect parameters, for e.g.:

  • /redirect?url={payload}&next={payload}&redirect={payload}&redir={payload}&rurl={payload}&redirect_uri={payload}

  • /?url={payload}&next={payload}&redirect={payload}&redir={payload}&rurl={payload}&redirect_uri={payload}

Responses to look for when fuzzing

• HTTP redirect status codes

  • 300 Multiple Choices

  • 301 Moved Permanently

  • 302 Found

  • 303 See Other

  • 304 Not Modified

  • 305 Use Proxy

  • 307 Temporary Redirect

  • 308 Permanent Redirect

• Alert box popping up

Tips

• Try using the same parameter twice: ?next=whitelisted.com&next=google.com

• If periods filtered, use an IPv4 address in decimal notation http://www.geektools.com/geektools-cgi/ipconv.cgi

• Try a double-URL and triple-URL encoded version of payloads

• Try redirecting to an IP address (instead of a domain) using different notations: IPv6, IPv4 in decimal, hex or octal

• For XSS, try replacing alert(1) with prompt(1) & confirm(1)

• If extension checked, try ?image_url={payload}/.jpg

• Try target.com/?redirect_url=.uk (or [any_param]=.uk). If it redirects to target.com.uk, then it’s vulnerable! target.com.uk and target.com are different domains.

• Use /U+e280 RIGHT-TO-LEFT OVERRIDE: https://whitelisted.com@%E2%80%[email protected]

  • The unicode character U+202E changes all subsequent text to be right-to-left

  • E.g.: https://hackerone.com/reports/299403

Identifying Open Redirect Vulnerabilities

Common Parameters to Test

Many applications use redirection parameters like:

If these parameters are processed without validation, they might be vulnerable.

Passive Detection

1. Check URL parameters – Look for redirect-related keywords in URLs.

2. Analyze HTTP responses – Look for 302 Found or 301 Moved Permanently responses.

3. Check developer console (F12) and network traffic – Inspect redirects.

Active Testing (Manual and Automated)

• Modify the URL and inject external domains:

• Using Burp Suite's Intruder to fuzz redirection parameters.

• Using tools like Oralyzer:

Exploiting Open Redirect Vulnerabilities

Basic Open Redirect Exploitation

If an application blindly trusts user input, you can redirect a victim to a malicious website:

or use encoded URLs:

Redirect to Localhost (Bypass Authentication)

If an application allows redirection to localhost:

It can be used to:

• Redirect an admin panel login to an internal resource.

• Exploit internal APIs (in SSRF attacks).

URL Format Bypass

Some applications attempt to restrict external domains but allow different URL formats:

• //evil.com is a shorthand for https://evil.com.

• @trusted.com is ignored by some browsers.

Open Redirect to XSS

Some browsers allow JavaScript-based redirects if improperly filtered.

Basic Payloads

or bypassing javascript filters:

Using Comments and Encoding

SVG File Exploit (Open Redirect via File Upload)

Some applications allow uploading SVG files that can trigger JavaScript execution:

If the website automatically loads SVG files, the redirection will be triggered.

Exploiting Open Redirect for Phishing

Attackers can craft realistic-looking URLs to trick users:

Users might not notice the difference and enter their credentials.

Tools for Automating Open Redirect Testing

Oralyzer (Automated Open Redirect Scanner)

• GitHub: https://github.com/0xNanda/Oralyzer

• Run the tool:

Fuzzing with Payload Lists

• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect

Defense Against Open Redirects

Input Validation

• Only allow whitelisted domains for redirection:

Use Relative URLs Instead of Absolute

Instead of:

Use:

URL Sanitization

Ensure the redirect URL starts with a trusted domain:

Code examples

.Net

Java

PHP