Bug Bounty / ctf-tools / How to hack / Networking / Payloads / Reconnaissance

The Ultimate Guide to Finding Open Redirect Vulnerabilities (Step-by-Step + Payloads + Tools)

spyboy's avatarPosted by

What is an Open Redirect?

An Open Redirect is a web security flaw where an application blindly redirects users to a URL specified via user input, without proper validation or sanitization.

Impact: Open Redirects are often considered low-risk, but they can be chained with phishing, XSS, or authentication bypass attacks to become critical vulnerabilities.

🔥 Real-World Exploits

  • 🚨 Phishing: Redirect a victim to a malicious site after clicking a trusted domain.
  • 🚪 Authentication Bypass: Bypass login or OAuth flow using crafted redirect URIs.
  • 🎭 Session Fixation: Lure users into authenticated sessions via a fixed redirect.
  • 📥 Payload Delivery: Chain with XSS, malware, or OAuth misconfig.

🎯 Where to Look (Common Vulnerable Parameters)

Parameter NameExample

?next=https://target.com/login?next=https://evil.com

?redirect=https://target.com/redirect?redirect=https://evil.com

?url=https://target.com?url=https://evil.com

?continue=https://target.com?continue=https://evil.com

?returnUrl=https://target.com?returnUrl=https://evil.com

?dest=, ?goto=, ?forward=All are suspect!

🧭 Step-by-Step Guide to Finding Open Redirect Vulnerabilities

🔍 Step 1: Identify Redirect Parameters

Start with passive reconnaissance:

  • Google Dorking:inurl:?redirect= site:target.com inurl:?next= site:target.com
  • Use tools like ParamSpider, gau, or waybackurls to extract URLs.
gau target.com | grep -Ei 'redirect|url|next|return' > urls.txt

🔬 Step 2: Test Redirect Behavior

Check if the URL redirects you after clicking. Tools:

  • Burp Suite (intercept and modify redirect params)
  • curl or httpx to follow redirects
curl -I "https://target.com/redirect?url=https://evil.com"

Does it return Location: https://evil.com? That’s your first flag.

🧪 Step 3: Try Common Payloads

Test known payloads that bypass weak filters.

🔥 Top Payloads for Open Redirect

DescriptionPayload

Basic Redirecthttps://evil.com

Protocol-less//evil.com

Mixedhttp:evil.com

Encoded%2f%2fevil.com

Double Slash/\evil.com

Directory Jump..%2f..%2fhttps://evil.com

CRLF Injectionhttps://target.com%0d%0aLocation:https://evil.com

JavaScript Protocol (rarely allowed)javascript:alert(1)

🧠 Bonus: Use your own redirect tester link:

https://yourdomain.com/redirect-test.php

🧬 Step 4: Check Filter Bypass Techniques

If you see that some payloads are blocked, test for:

  • Case-insensitive matches: HTTPS://evil.com
  • Subdomain confusion: https://evil.com.target.com
  • Path confusion: /redirect?next=/\evil.com
  • Encoded values: %68%74%74%70%73%3A%2F%2Fevil.com

🔄 Step 5: Chain with OAuth or Login Flow

Check login and OAuth endpoints for redirect URLs:

  • /oauth/authorize?redirect_uri=...
  • /login?next=https://evil.com
  • After reset password or register

If the app automatically redirects you to your provided URL after authentication, it’s gold.

🔐 Many companies (Google, Facebook, GitHub) restrict redirect URIs to pre-approved domains — many small sites don’t.

🛠️ Tools You Can Use

ToolDescription

Burp SuiteIntercept, fuzz, and test redirect endpoints

ParamSpiderDiscover parameters from JS and HTML

httpxQuickly test redirect headers

OpenRedireXAutomated Open Redirect scanner

KiterunnerPath and parameter brute-forcer

qsreplaceReplace query values with payloads

FFuFFuzz URLs and parameters

OWASP ZAPPassive scanner for open redirect patterns

⚙️ Sample Automation with OpenRedireX

git clone https://github.com/devanshbatham/OpenRedireX
cd OpenRedireX
cat urls.txt | python3 openredirex.py -p payloads.txt -o results.txt

✅ Validating the Vulnerability

  1. Confirm redirection without user interaction
  2. Redirect occurs server-side, not just JS
  3. Your destination URL is reflected in the Location header
  4. Try it in a browser — does it go to evil.com?

📋 Reporting Template for Bug Bounties

**Summary:** Open Redirect in `redirect` parameter allows redirection to arbitrary domains.

**Steps to Reproduce:**
1. Visit: `https://target.com/redirect?url=https://evil.com`
2. Observe redirection to `https://evil.com`

**Impact:**
- Can be used in phishing attacks
- Can bypass login/OAuth protection
- Could be chained with XSS or session stealing

**Recommendation:**
- Validate redirect URLs against a whitelist
- Use relative paths (e.g., `/dashboard`) instead of full URLs
- Reject URLs pointing to external domains

🛡️ How to Prevent Open Redirects

Bad PracticeGood Practice

Redirecting user input blindlyUse a whitelist of safe URLs

Allowing full URLsAccept only relative paths

Trusting query param URLsValidate the domain strictly

Returning 302 with user-provided inputRedirect to static route or home page if invalid

Example safe server logic (Python/Flask):

allowed = ['/dashboard', '/settings']
url = request.args.get('next')
if url not in allowed:
    return redirect('/')
return redirect(url)

🏁 Final Thoughts

Open Redirects may seem low impact, but when used creatively, they can lead to phishing, account takeover, OAuth abuse, and serious security flaws. With a solid strategy and payloads, they’re one of the easiest web bugs to find — and many companies still reward them!

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.