Hey There! In this post I’ll be going to explain everything that is necessary for a layman(not really) to understand Open Redirects. Let’s start!
Open Redirect or Open Redirection is a situation in which a website redirects or sends the user to another website by taking parameter value as the destination.
- URL -
- parameter name -
- parameter value -
- destination(the webiste to which you will be redirected) -
The URL -
http://site.com/redir?url=http://www.google.com will send you or redirect you to
Now, let’s take a look at the code which is the cause of our redirection.
What’s happening is that, the code is taking the parameter value from the URL which is
http://www.google.com and then it’s assigning the value to
window.location and that’s how you are getting redirected to
window.location is the sink here, whereas
param.searchParams.get('url'); is the source.
200 and not
3xx as a response code. Also, it’s usefulness is only restricted to DOM XSS.
Header Based Redirection are the redirections triggered by the server side scripts like php, java, etc. And, this redirection is the OG as it gives
3xx as a response code and it can uplifted up to make SSRFs work.
Let’s see an example php code that does this redirection :
As usual, the parameter value is getting stored into the location header which leads us to our redirection. It can be chained with vulnerabilities like SSRF, OAuth token disclosure and CLRF Injection. It can also be used for phising.
Functionalities you should look upto are - login, signup, register, logout.
Meta Refresh Redirection is a client side redirection. It occurs within your browser and requires no server side interaction. Meta tags are inserted into the head tag.
The above meta tag, if inserted in a HTML document, will redirect you to
http://www.google.com after waiting for one second. These type of redirections (Javscript Based and Meta Refresh) are client side redirections and hence they would always puke out
List of Quality Bypasses
Here’s a short list of bypasses(payloads) that I’ve collected from this source after going through some HackerOne reports and have tried on different targets to bypass the filters.
Dorks & Parameter Names
Some useful google dorks:
site:target.com AND inurl:url=http(s)
site:target.com AND inurl:u=http(s)
site:target.com AND inurl:redirect?http(s)
site:target.com AND inurl:redirect=http(s)
site:target.com AND inurl:link=http(s)
Some parameter names that need attention while looking for Open Redirects from Pentester Land:
More Resources -
That’s all for this post, you can reach out to me on twitter and tell if you liked it or not, suggestions and criticism would be welcomed.