Open URL Redirection

Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access.



Let’s say there’s a well known website - https://famous-website.tld/. And let's assume that there's a link like :


After signing up you get redirected to your account, this redirection is specified by the redirectUrl parameter in the URL.
What happens if we change the famous-website.tld/account to evil-website.tld?


By visiting this url, if we get redirected to evil-website.tld after the signup, we have an Open Redirect vulnerability. This can be abused by an attacker to display a phishing page asking you to enter your credentials.

HTTP Redirection Status Code - 3xx


Replace www.whitelisteddomain.tld from Open-Redirect-payloads.txt with a specific white listed domain in your test case

To do this simply modify the WHITELISTEDDOMAIN with value to your test case URL.

WHITELISTEDDOMAIN="" && sed 's/www.whitelisteddomain.tld/'"$WHITELISTEDDOMAIN"'/' Open-Redirect-payloads.txt > Open-Redirect-payloads-burp-"$WHITELISTEDDOMAIN".txt && echo "$WHITELISTEDDOMAIN" | awk -F. '{print "https://"$0"."$NF}' >> Open-Redirect-payloads-burp-"$WHITELISTEDDOMAIN".txt

Filter Bypass

Using a whitelisted domain or keyword redirect to

Using CRLF to bypass "javascript" blacklisted keyword


Using "//" to bypass "http" blacklisted keyword


Using "https:" to bypass "//" blacklisted keyword

Using "//" to bypass "//" blacklisted keyword (Browsers see // as //)


Using "%E3%80%82" to bypass "." blacklisted character


Using null byte "%00" to bypass blacklist filter


Using parameter pollution


Using "@" character, browser will redirect to anything after the "@"

Creating folder as their domain

Using "?" characted, browser will translate it to "/?"

Host/Split Unicode Normalization

https://evil.c℀ . --->

XSS from Open URL - If it's in a JS variable


XSS from data:// wrapper;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+Cg==

XSS from javascript:// wrapper

Common injection parameters