May 30, 2026
How I Automated Open Redirect Vulnerability Hunting Using a Single Terminal Command
The Concept An open redirect happens when an application takes user input (usually a URL in a parameter) and uses it in a redirection…
Ali Ayman (sagax)
1 min read
The Concept
An open redirect happens when an application takes user input (usually a URL in a parameter) and uses it in a redirection header without validating it first. While it's often considered a low or medium severity issue, attackers love it because it can be chained with OAuth flaws to steal tokens, or simply used to make phishing links look highly convincing.
Building the Pipeline
I chained a few standard CLI tools together to automate the entire process from recon to validation. Here is the exact command I used:
echo "target.com" | gau - subs | uro | grep "=" | qsreplace "http://example.com" | httpx -silent -location -mc 301,302,303,307,308 -random-agent | grep "http://example.com"echo "target.com" | gau - subs | uro | grep "=" | qsreplace "http://example.com" | httpx -silent -location -mc 301,302,303,307,308 -random-agent | grep "http://example.com"Here is how it breaks down:
1- gau — subs: Grabs historical URLs for the domain and all its subdomains from passive archives (Wayback Machine, Common Crawl, etc.).
2- uro: Cleans up the output by removing duplicate parameters and useless noise.
3- grep "=": Filters out files and static pages, keeping only URLs that actually have parameters.
4- qsreplace: Replaces the values of all discovered parameters with my test domain (http://example.com).
5- httpx: Sends the active requests. I configured it to follow redirects (-location) and look specifically for HTTP 3xx status codes.
6- grep: The final check. If http://example.com shows up in the response path, it means the server blindly redirected my request.
The Discovery I ran the script against the target scope, and almost instantly, my terminal returned a match. The application took the injected URL in a redirect parameter and threw back a 302 Found status code, forwarding the request straight to example.com.
Remediation The safest way to fix this is to avoid letting user input dictate redirection targets. If the application must redirect based on user input, a strict whitelist of allowed domains or relative internal paths should be enforced.
Note: It is important to emphasize that this automated pipeline is purely a preliminary check. Just because a automated tool doesn't catch a flaw doesn't mean the application is 100% secure against Open Redirects.