0xNanda

Open Redirects - Everything That You Should Know

banner

Hey There! In this post I’ll be going to explain everything that is necessary for a layman(not really) to understand Open Redirects. Let’s start!

Open Redirect or Open Redirection is a situation in which a website redirects or sends the user to another website by taking parameter value as the destination.

Example:

Javascript Based Redirection

The URL - http://site.com/redir?url=http://www.google.com will send you or redirect you to http://www.google.com.

Now, let’s take a look at the code which is the cause of our redirection.

var url = 'http://site.com/redir?url=http://www.google.com';
var param = new URL(url);
window.location = param.searchParams.get('url');

What’s happening is that, the code is taking the parameter value from the URL which is http://www.google.com and then it’s assigning the value to window.location and that’s how you are getting redirected to http://www.google.com. And this is what we call a - Javascript Based Redirection.

window.location is the sink here, whereas param.searchParams.get('url'); is the source.

Note: When you’re trying to fuzz the parameters, remember that Javascript Based Redirections give you 200 and not 3xx as a response code. Also, it’s usefulness is only restricted to DOM XSS.

Header Based Redirection

Header Based Redirection are the redirections triggered by the server side scripts like php, java, etc. And, this redirection is the OG as it gives 3xx as a response code and it can uplifted up to make SSRFs work.

Let’s see an example php code that does this redirection :

$redirect_URL = $_GET["url"];
header("Location:".$redirect_URL);

As usual, the parameter value is getting stored into the location header which leads us to our redirection. It can be chained with vulnerabilities like SSRF, OAuth token disclosure and CLRF Injection. It can also be used for phising.

Functionalities you should look upto are - login, signup, register, logout.

Meta Refresh Redirection

Meta Refresh Redirection is a client side redirection. It occurs within your browser and requires no server side interaction. Meta tags are inserted into the head tag.

<head>
  <meta content="1;url='http://www.google.com';" http-equiv="refresh"/>
</head>

The above meta tag, if inserted in a HTML document, will redirect you to http://www.google.com after waiting for one second. These type of redirections (Javscript Based and Meta Refresh) are client side redirections and hence they would always puke out 200 as the response code. The exploitation is just same as Javascript Based Redirection, the only thing you have to keep an eye on is the meta tag and the JS content.

List of Quality Bypasses

Here’s a short list of bypasses(payloads) that I’ve collected from this source after going through some HackerOne reports and have tried on different targets to bypass the filters.

Dorks & Parameter Names

Some useful google dorks:

Some parameter names that need attention while looking for Open Redirects from Pentester Land:

More Resources -

That’s all for this post, you can reach out to me on twitter and tell if you liked it or not, suggestions and criticism would be welcomed.