Open Redirect
Overview
A website is vulnerable to Open Redirect when parameter values (the portion of URL after "?") in an HTTP GET request allow for information that will redirect a user to a new website without proper validation of the target of the redirect. Depending on the architecture of a vulnerable website, redirection could happen after a certain action, such as login, and sometimes it could happen instantaneously upon loading of a page.
An example of a vulnerable website link could look something like this: https://www.example.com/login.html?RelayState=http%3A%2F%2Fexample.com%2Fnext
Makes it really easy to get phishing done - just redirect to your own site and ask for a login.
Exploiting Semi-Hardcoded Paths
If the redirection is done like this:
Then you might still be able to redirect to your own site using the @ sign (might not work, depending on the hardcoded part)
Tests:
http://example.com@test.comWorks for chrome
Works on Firefox but gives phishing warning
http://example.com/page@test.comDoesn't work
page@test.comDoesn’t work
Filter Bypassing
Here are some things to try to bypass filters and still be able to get open redirect to work:
java%0d%0ascript%0d%0a:alert(0)CRLF injection to bypass
javascript:being blacklistedResults in XSS
//google.comIn case http:// is blacklisted
https:google.comBrowsers accept this, good if
//is blacklisted
//google%E3%80%82com%E3%80%82is。encoded.
\/\/google.com/Useful for bypassing // http:// blacklists. Browsers see \/\/ as //)
/\/google.com/Same as above
//google%00.comAttempt to use a null byte to bypass a blacklist filter.
http://www.theirsite.com@yoursite.com/Browsers will redirect to anything after @
http://www.yoursite.com/http://www.theirsite.com/If
@is blacklisted and they check if their domain is in the param, then make a folder on your site with the name of their domain
";alert(0);//If the url is echoed in a variable and we want to get xss in script tag
Last updated