file.php?url=/admin/ Redirects to: http://website.com/admin/ Put URL email@example.com Now it is firstname.lastname@example.org which redirects to http://google.com!
#bugbountytip Got an Open Redirect like this before. Website redirected to its own URL with input appended to it. Input @mywebsite.com and alter conf of your site to not prompt for login. URL: email@example.com (browser thinks http://victim.com is user). #BugBounty
in some cases you can have an Open Redirect using %0d%0a and two "/" directly on the main url: http://victim//%0d%0ahttp://google.com/
#bugbounty #bugbountytip Try to change protocol to bypass open redirect protection. http://example.com -> ftp://example.com You might be lucky.
http:sitetoredirect , http%3asitetoredirect , http%253asitetoredirect
mostly works, for open redirect vulnerabilities.
Hold onto your open redirects. If you ever encounter SSRF then you can bypass same-origin filters using an open redirect. If they're just blocking localhost though, then create a redirect on your own website. #SSRF #infosec #CyberSecurity
Bug Bounty Tip: Always check the content of a Redirection Page (302/301). especially if it requires authentification. And remember a Redirection Page is a good place to test issues like CRLF injection and Open Redirection.
For open redirects, try using this character: 。The website thinks it's redirecting to a page on the site, but browsers convert it to a '.' thus completing the redirect. Usage: ?url=//google。com Goes to: https://google.com URL encoded: %E3%80%82
"/%0d/domain_address" is one of the best bypass in account takeover stealing tokens.