The Hacker Recipes
GitHubTwitterDonate
Search…
Introduction
Active Directory
Reconnaissance
Movement
Persistence
Web services
Reconnaissance
Configuration
Accounts and sessions
User inputs
🛠️ File inclusion
SQL injection
XSS (Cross-Site Scripting)
Unrestricted file upload
CSRF (Cross-Site Request Forgery)
🛠️ HTTP parameter pollution
IDOR (Insecure Direct Object Reference)
Open redirect
Insecure JSON Web Tokens
Insecure Cookies
🛠️ SSTI (Server-Side Template Injection)
🛠️ Insecure deserialization
SSRF (Server-Side Request Forgery)
XXE injection
🛠️ CRLF injection
HTTP response splitting
🛠️ Arbitrary file download
🛠️ Directory traversal
🛠️ Null-byte injection
🛠️ Content-type juggling
Systems & services
Reconnaissance
Movement
Privilege escalation
Pivoting
🛠️ Physical
Locks
Networking
Machines
Super secret zones
🛠️ Intelligence gathering
CYBINT
OSINT
GEOINT
🛠️ RADIO
RFID
Bluetooth
Wi-Fi
Wireless keyboard/mouse
🛠️ binary exploitation
Use-after-free
Buffer overflow
🛠️ mobile apps
Android
iOS
Powered By GitBook
Open redirect

Theory

Many web applications make redirections based on parameters that users can easily control, like GET parameters. When the application fails to properly check and filter these inputs, they can be vulnerable to Open Redirect where attacker can redirect users to a malicious website. Open Redirect vulnerabilities are exploited in phishing attacks to redirect users from a trusted website to an attacker-controlled one. In well executed attacks, most of the users would not notice it without carefully looking at the URL to see the difference.
Open Redirect vulnerabilities are usually found when browsing a page, being asked to log in, and then being redirected to the original page when logged in. These mechanisms greatly improve the UX (user experience) but when they are badly implemented, they can lead to vulnerabilities from low to medium severity.

Practice

Testers need to find inputs vectors used by the website for redirections. They usually are GET parameters with string values that are sometimes base64 encoded like:
Testers can then try to replace those values with different URLs and analyze de redirection.
Some bugbounty tools like waybackurls (Go), hakrawler (Go) and gf (Go) can help find vulnerable endpoints.
1
cat subdomains | waybackurls | tee -a urls
2
cat subdomains | hakrawler -depth 3 -plain | tee -a urls
3
gf redirect urls
Copied!
Using redirect.json with gf like:
1
{
2
"flags" : "-HanrE",
3
"pattern" : "url=|rt=|cgi-bin/redirect.cgi|continue=|dest=|destination=|go=|out=|redir=|redirect_uri=|redirect_url=|return=|return_path=|returnTo=|rurl=|target=|view=|from_url=|load_url=|file_url=|page_url=|file_name=|page=|folder=|folder_url=|login_url=|img_url=|return_url=|return_to=|next=|redirect=|redirect_to=|logout=|checkout=|checkout_url=|goto=|next_page=|file=|load_file="
4
}
Copied!
Redirections can be header based (location header sent from the server), or Javascript based (will not work fro server-side functions, but could redirect to javascript:something() and cause an XSS).
The impact of this vulnerability is debated. Open redirects can help in phishing attacks but in some cases, it could help exploit an XSS, a SSRF or a CSRF, hence increasing the impact.

References

Open Redirect Vulnerability
s0cket7
Open redirection (reflected)
Open redirection (stored)
DOM-based open redirection | Web Security Academy
WebSecAcademy
Open Redirection Guide
0x00sec - The Home of the Hacker
PayloadsAllTheThings/Open Redirect at master · swisskyrepo/PayloadsAllTheThings
GitHub
Previous
IDOR (Insecure Direct Object Reference)
Next
Insecure JSON Web Tokens
Last modified 1yr ago
Copy link
Edit on GitHub
Contents
Theory
Practice
References