[Bypass] Cool Open redirect Bypasses




Hey guys,

it's me again XD, I will talk about some open redirect protection bypasses it will help you I hope that.

let's start now if your target has an endpoint like /path/redirect.php?url=http://target.com/ this endpoint can used to redirect the user to another path after login or signup or anything and some websites make it for paths just for paths not to redirect the user to any external domain, if I try to enter http://google.com on the url parameter what will happen? you will get an error page if there is a protection or you will be redirected to Google and this is a basic open redirect.

what if there is a protection and I got the error page now we will start to try a bypass to this protection, you can use this //google.com/ this bypass used if the function checks the http/https you can add two forward slashes before the domain name, another bypass this one http://google.com%23.target.com/ and %23 refers to # the website will see that the google.com is a subdomain on target.com so it will accept the request but the problem here that target.com is commented on the link so the user will be redirected to google.com.

look to this one the parameter needs a value right? what if we write .org or .mx what will happen? if there is no filtering on it the website will add it to the domain and will redirect the user, for example, http://target.com/red.php?url=.mx if the website didn't add / the user will be redirected to target.com.mx and this is not the target domain it's the same if we write http://target.com/red.php?url=http://target.com.mx/.

another bypass here http://google.com\\.target.com/ now the website will see that google.com\\ is a subdomain on target.com but the reality is target.com is a path on google.com and the redirection will be to google.com, you can use this too http://google.com?c=.target.com/ it's almost close to the previous example the website sees that target.com is a subdomain on google.com but it's not and the redirection will be to http://google.com/?c=.target.com/.

this bypass http://target.com@google.com/ this at can be changed with %40 it's at but encoded this bypass is cool the website sees that target.com is here and no problems when the request happens the user will be redirected to google.com you can use it like that http://target.com/red.php?url=@google.com.

In the end, this is not all bypasses it's just the common ones and you can create your own payload too, I hope this topic helps anyone, GoodBye.

Comments

  1. This comment has been removed by the author.

    ReplyDelete

Post a Comment

Popular posts from this blog

Exploit & Debug Looney Tunables CVE-2023-4911 Local Privilege Escalation in the glibc's ld.so

Using CSRF I Got Weird Account Takeover

What can I do with Open Redirect with OAuth?