Post cover image

June 26, 2026

Open Redirect โ€” Tiny Bug, Real Reward

Hey everyone! Nitin here ๐Ÿ‘‹

By Nitin yadav

1 min read

Open redirect is the bug that beginners ignore and pros chain into something big. On its own it looks tiny. But understand WHY it matters and you'll start collecting these (and using them to boost other bugs). Let's go.

What's An Open Redirect?

Lots of sites redirect you around. Like after login: site.com/login?redirect=/dashboard โ€” the site sends you to /dashboard after you log in.

An open redirect is when you can change that destination to ANY website โ€” including an attacker's:

site.com/login?redirect=https://evil.com

If the site happily sends you off to evil.com, that's an open redirect. The site trusted the redirect value without checking it. โžก๏ธ

"So What? It's Just A Redirect"

That's what everyone says. Here's why it actually matters:

  • Phishing: the link starts with the REAL, trusted domain (site.com/...), so victims trust it โ€” then get bounced to a fake login page. Way more convincing than a random evil link.
  • Token theft: if the redirect carries auth tokens or codes, you can steal them by redirecting to your server. This is the big one.
  • Chaining: open redirects supercharge OTHER bugs โ€” especially OAuth flows and SSRF. A "low" bug becomes part of a "critical" chain.
None

Where To Find Them

Look for parameters that control where you go:

  • ?redirect=, ?url=, ?next=, ?return=, ?returnUrl=, ?dest=, ?continue=
  • Login and logout flows
  • OAuth/SSO flows (the juiciest โ€” tokens fly around here)
  • "Click here to continue" links

How To Hunt It

  1. Spot a redirect parameter
  2. Change its value to an external domain you control (https://yoursite.com)
  3. Follow the request โ€” does it send you to your domain?
  4. If yes โ†’ open redirect โœ…
  5. Now think CHAIN: is this in an OAuth flow? Does a token come along for the ride? That's where it gets valuable

The Bypass Game

Sites try to block external redirects. Common bypasses when basic ones fail: //evil.com (protocol-relative), https:evil.com, https://site.com.evil.com, https://site.com@evil.com. The filter usually checks for the obvious cases and forgets the weird ones.

My Honest Tip

Don't report a plain open redirect and stop there โ€” many programs rate it low or out of scope alone. Instead, ALWAYS ask "what can I chain this into?" An open redirect inside an OAuth flow that leaks an access token? That's no longer a tiny bug. That's a payday. The skill is in the chaining.

Next post: authentication bypass tricks โ€” getting in without the keys.

Redirect with purpose! โžก๏ธ