Open Redirects - Everything That You Should Know April 16, 2020

Hey There! In this post I’ll be explaining everything that is necessary for a layman(not really) to understand Open Redirects. Let’s start!

Open Redirect or Open Redirection is a situation in which a website redirects or sends the user to another website by taking parameter value as the destination.

Example:

URL - http://site.com/redir?url=http://www.google.com

parameter name - url

parameter value - http://www.google.com

destination(the website to which you will be redirected) - http://www.google.com

Javascript Based Redirection

The URL - http://site.com/redir?url=http://www.google.com will send you or redirect you to http://www.google.com .

Now, let’s take a look at the code which is the cause of our redirection.

var url = ' http://site.com/redir?url=http://www.google.com ' ; var param = new URL ( url ); window . location = param . searchParams . get ( ' url ' );

What’s happening is that, the code is taking the parameter value from the URL which is http://www.google.com and then it’s assigning the value to window.location and that’s how you are getting redirected to http://www.google.com . And this is what we call - Javascript Based Redirection.

window.location is the sink here, whereas param.searchParams.get('url'); is the source.

Note: When you’re trying to fuzz the parameters, remember that Javascript Based Redirections give you 200 and not 3xx as the response code. Also, it’s usefulness is only restricted to DOM XSS.

Header Based Redirection

Header Based Redirection are the redirections triggered by the server side scripts written in php, java, etc. And, this redirection is the OG as it gives 3xx as the response code and it can be uplifted to make SSRFs work.

Let’s see an example PHP code that does this redirection:

$redirect_URL = $_GET [ "url" ]; header ( "Location:" . $redirect_URL );

As usual, the parameter value is getting stored into the location header which leads us to our redirection. It can be chained with vulnerabilities like SSRF, OAuth token disclosure and CRLF Injection. It can also be used for phishing.

Functionalities you should look upto(while hunting for Open Redirects): login, signup, register & logout.

Meta Refresh Redirection

Meta Refresh Redirection is a client side redirection. It occurs within your browser and requires no server side interaction. Meta tags are inserted into the head tag.

<head> <meta content= "1;url='http://www.google.com';" http-equiv= "refresh" /> </head>

The above meta tag, if inserted in a HTML document, will redirect to http://www.google.com after waiting for one second. These type of redirections (Javscript Based and Meta Refresh) are client side redirections and hence they will always puke out 200 as the response code. The exploitation is just same as Javascript Based Redirection, the only thing you have to keep an eye on is the meta tag and the JS content.

List of Quality Bypasses

Here’s a short list of payloads that I’ve collected, after going through some HackerOne reports and using them on different targets:

https:www.google.com

HtTp://google.com

http\x3A\x2F\x2Fgoogle.com

//google。com

x00http://google.com

////216.58.214.206

/\216.58.214.206

x20http://www.google.com

https://www.google.com

hthttp://tp://www.google.com

。/www.google.com

Dorks & Parameter Names

Some useful google dorks:

site:target.com AND inurl:url=http(s)

site:target.com AND inurl:u=http(s)

site:target.com AND inurl:redirect?http(s)

site:target.com AND inurl:redirect=http(s)

site:target.com AND inurl:link=http(s)

Some parameter names that need attention while looking for Open Redirects:

?next=

?url=

?dest=

?redirect=

?returnTo=

?go=

?redirect_uri

?continue=

?return_path=

?externalLink=

?URL=

More Resources:

That’s all for this post, it’s Hardik Nanda, signing off!