Test your knowledge with BugBountyHunter Challenges


Resources

A list of useful websites, blog posts, reports tools to help you.

Learning about Open Url Redirects


Simply put open redirects are urls such as https://www.example.com/?go=https://www.google.com/, which when visited will go from example.com -> google.com. The endpoint you are investigating will contain some type of redirect parameter or URL which will redirect upon success. Imagine you are attempting to login to example.com and the endpoint you are on is, example.com/login.php?returnUrl=/help. Upon logging in the web application will redirect you to example.com/help. Your job as a hacker is to then see if you can redirect to your site after logging in.

This is what open redirects are in a nut shell. Plain and simple, it'll simply redirect based on your input.

Typically companies/bug bounty programs consider open redirects as low impact, so this means that not only are they easy to find, but if any filtering does exist it is usually relatively easy to bypass. It is a good idea to hold onto some open url redirects when hunting as these can be used to bypass server side request forgery (SSRF) filters and you can turn your redirect into a high impact bug. With that said open url redirects aren't only used for bypassing SSRF filters.

Finding open url redirects

To begin with let's start with finding an open url redirect and explore common places to look for them. I will always start with dorking since Google knows more about a target than me, so let's see what google knows first by using site:example.com inurl: and then playing with the following dorks: (and also try come up with your variants, you never know what you will discover!)

  • "go"
  • "return"
  • "r_url"
  • "returnUrl"
  • "returnUri"
  • "locationUrl"
  • "goTo"
  • "return_url"
  • "return_uri"
  • "ref="
  • "referrer="
  • "backUrl"
  • "returnTo"
  • "successUrl"

None found? Ok no problem, lets start using their site and look at common places. From my experience most sites usually redirect the user after some type of action such as logging in, logging out, password change, signup. The parameter can usually be found in the URL, or sometimes you need to hunt in .js files for referenced parameters. It is highly likely that the login page will handle some type of redirect parameter so make sure to look deeply!. Once you have discovered one parameter name used for redirecting then typically developers will re-use code/parameter names throughout so test this parameter on every endpoint you discover.

Using the open url redirect

By this time we would of found atleast one open url redirect, and if not, get back to hunting! However once we do actually have a valid redirect, what can we do? Apart from redirect (which is considered LOW IMPACT), we want to create something with HIGH impact. Below are the most common things I will try with an open url redirect:

Common bypasses