search
πŸ“œ MediumπŸ›’ My ShopπŸ‘Ύ GithubπŸ“© Telegram πŸ“Ί YouTubeβœ– Twitter

Open Redirect

Open Redirect (also known as Unvalidated Redirects and Forwards) occurs when a web application accepts user-supplied input and redirects the user to an arbitrary URL without proper validation.

hashtag
Basic info - Open Redirect

Open Redirect (also known as Unvalidated Redirects and Forwards) occurs when a web application accepts user-supplied input and redirects the user to an arbitrary URL without proper validation.

hashtag
How to find entry points to test?

  • Burp Proxy history & Burp Sitemap (look at URLs with parameters)

  • Google dorking. E.g: inurl:redirectUrl=http site:target.com

  • Functionalities usually associated with redirects:

    • Login, Logout, Register & Password reset pages

    • Change site language

    • Links in emails

  • Read JavaScript code

  • Bruteforcing

    • Look for hidden redirect parameters, for e.g.:

    • /redirect?url={payload}&next={payload}&redirect={payload}&redir={payload}&rurl={payload}&redirect_uri={payload}

    • /?url={payload}&next={payload}&redirect={payload}&redir={payload}&rurl={payload}&redirect_uri={payload}

hashtag
Responses to look for when fuzzing

hashtag
Tips

  • Try using the same parameter twice: ?next=whitelisted.com&next=google.com

  • If periods filtered, use an IPv4 address in decimal notation http://www.geektools.com/geektools-cgi/ipconv.cgiarrow-up-right

  • Try a double-URL and triple-URL encoded version of payloads

  • Try redirecting to an IP address (instead of a domain) using different notationsarrow-up-right: IPv6, IPv4 in decimal, hex or octal

  • For XSS, try replacing alert(1) with prompt(1) & confirm(1)

  • If extension checked, try ?image_url={payload}/.jpg

  • Try target.com/?redirect_url=.uk (or [any_param]=.uk). If it redirects to target.com.uk, then it’s vulnerable! target.com.uk and target.com are different domains.

  • Use /U+e280 RIGHT-TO-LEFT OVERRIDE: https://whitelisted.com@%E2%80%[email protected]

hashtag
Identifying Open Redirect Vulnerabilities

hashtag
Common Parameters to Test

Many applications use redirection parameters like:

If these parameters are processed without validation, they might be vulnerable.

hashtag
Passive Detection

  1. Check URL parameters – Look for redirect-related keywords in URLs.

  2. Analyze HTTP responses – Look for 302 Found or 301 Moved Permanently responses.

  3. Check developer console (F12) and network traffic – Inspect redirects.

hashtag
Active Testing (Manual and Automated)

  • Modify the URL and inject external domains:

  • Using Burp Suite's Intruder to fuzz redirection parameters.

  • Using tools like Oralyzer:

hashtag
Exploiting Open Redirect Vulnerabilities

hashtag
Basic Open Redirect Exploitation

If an application blindly trusts user input, you can redirect a victim to a malicious website:

or use encoded URLs:

hashtag
Redirect to Localhost (Bypass Authentication)

If an application allows redirection to localhost:

It can be used to:

  • Redirect an admin panel login to an internal resource.

  • Exploit internal APIs (in SSRF attacks).

hashtag
URL Format Bypass

Some applications attempt to restrict external domains but allow different URL formats:

  • //evil.com is a shorthand for https://evil.com.

  • @trusted.com is ignored by some browsers.

hashtag
Open Redirect to XSS

Some browsers allow JavaScript-based redirects if improperly filtered.

hashtag
Basic Payloads

or bypassing javascript filters:

hashtag
Using Comments and Encoding

hashtag
SVG File Exploit (Open Redirect via File Upload)

Some applications allow uploading SVG files that can trigger JavaScript execution:

If the website automatically loads SVG files, the redirection will be triggered.

hashtag
Exploiting Open Redirect for Phishing

Attackers can craft realistic-looking URLs to trick users:

Users might not notice the difference and enter their credentials.

hashtag
Tools for Automating Open Redirect Testing

hashtag
Oralyzer (Automated Open Redirect Scanner)

hashtag
Fuzzing with Payload Lists

hashtag
Defense Against Open Redirects

hashtag
Input Validation

  • Only allow whitelisted domains for redirection:

hashtag
Use Relative URLs Instead of Absolute

Instead of:

Use:

hashtag
URL Sanitization

Ensure the redirect URL starts with a trusted domain:

hashtag
Code examples

.Net

Java

PHP

circle-check

Learn & practice For the OSCP.arrow-up-right

chevron-rightSupport VeryLazyTech πŸŽ‰hashtag
PreviousIDORNextSubdomain Takeover

Last updated