Tip from @zseano
A lot of developers don't see the harm in an open redirect so usually no filtering exists when you discover one. This makes them extremely easy to find and a great start for newcomers. Advance your skills by finding a way to chain it for more impact!
Learning about Open Url Redirects
If you are reading this & thinking, what are open url redirects?, then simply put open redirects are urls such as
https://www.example.com/?go=https://www.google.com/, which when visited will go from
example.com -> google.com. The endpoint you are investigating will contain some type of redirect parameter or URL which will redirect upon success. Imagine you are attempting to login to
example.com and the endpoint you are on is,
example.com/login.php?returnUrl=/help. Upon logging in the web application will redirect you to
example.com/help. Your job as a hacker is to then see if you can redirect to your site after logging in.
Typically companies/bug bounty programs consider open redirects as low impact, so this means that not only are they easy to find, but if any filtering does exist it is usually relatively easy to bypass. It is a good idea to hold onto some open url redirects when hunting as these can be used to bypass server side request forgery (SSRF) filters and you can turn your redirect into a high impact bug. With that said open url redirects aren't only used for bypassing SSRF filters. Let's explore what can be done!
Finding open url redirects
To begin with let's start with finding an open url redirect and explore common places to look for them. I will always start with dorking since Google knows more about a target than me, so let's see what google knows first by using site:example.com and then playing with the following dorks: (and also try come up with your variants, you never know what you will discover!)
None found? Ok no problem, lets start using their site and look at common places. From my experience most sites usually redirect the user after some type of action such as logging in, logging out, password change, signup. The parameter can usually be found in the URL, or sometimes you need to hunt in .js files for referenced parameters. It is highly likely that the login page will handle some type of redirect parameter so make sure to look deeply!. Once you have discovered one parameter name used for redirecting then typically developers will re-use code/parameter names throughout so test this parameter on every endpoint you discover.
Using the open url redirect
By this time we would of found atleast one open url redirect, and if not, get back to hunting! ;) So once we do actually have a valid bug, what can we do? Below are the most common things I will try with an open url redirect:
Grab tokens via mis-configured apps/login flows
Imagine the following scenario. When logging into redacted.com you notice in the url
returnto=/supersecure, and after successfully logging in, the website redirects to
/supersecure?token=39e9334awith your login token, and then to the main website. So this means if we set it to
returnto=//myevilsite.comand send our victim the login url, if the website was vulnerable upon the user successfully logging in, the user will be redirected to our site which enables the attacker to steal their login token. Check the Referer header for leaks as well as playing with various characters to check how they handle it server-side. You can view an example of this here.
Bypassing blacklists for SSRF/RCE
Some websites will blacklist some requests to only allow requests to
/localendpoint. Armed with an open redirect on their domain, depending on their framework and how they handle redirects, you can sometimes bypass their blacklsit and achieve SSRF or RCE (depending on the circumstances). Imagine you have an endpoint which takes an
?url=parameter but it will only allow you to input local endpoints, such as
/example. Now imagine you also have an open redirect at
?url=to this endpoint may cause their web application to trust the user input (since it is pointing to local endpoint), but process the redirect & show you sensitive information. Remember this is a redirect from their domain which means you have level of trust via their domain (think if you need the Referrer header to contain their domain, now you can)
<script> top.location.href='reflectedhere'; </script>
When looking for these types of XSS vulnerabilities (via redirect), always look for strings such as
location.. If you see a redirect via these methods then you will be able to achieve XSS as long as no filtering is stopping you.
I run into filters trying to prevent third party redirects all the time. However before even thinking about trying to bypass the filter, one of the most common issues researchers run into when testing login flows chained with an open url redirect is not encoding the values correctly. For example,
https://example.com/login?return=https://mysite.com/. The website / browser may get confused with how the
return parameter is formatted so it always good to try just normal encoding, and failing that, double encoding. See below for an example:
Notice we've got two redirects in one? We need to double encode the last redirect so the browser decodes it last and redirects. Sometimes if you don't encode properly the browser won't redirect correctly.
\/yoururl.com \/\/yoururl.com \\yoururl.com //yoururl.com //[email protected] /\/yoursite.com https://yoursite.com%3F.theirsite.com/ https://yoursite.com%2523.theirsite.com/ https://yoursite?c=.theirsite.com/ https://yoursite.com#.theirsite.com/ https://yoursite.com\.thersite.com/ //%2F/yoursite.com ////yoursite.com https://theirsite.computer/ https://theirsite.com.mysite.com /%0D/yoursite.com (Also try %09, %00, %0a, %07) java%0d%0ascript%0d%0a:alert(0) j%0d%0aava%0d%0aas%0d%0acrip%0d%0at%0d%0a:confirm`0` java%07script:prompt`0` java%09scrip%07t:prompt`0` /%2F/yoururl.com /%5Cyoururl.com //google%E3%80%82com