June 26, 2026
Open Redirect โ Tiny Bug, Real Reward
Hey everyone! Nitin here ๐

By Nitin yadav
1 min read
Open redirect is the bug that beginners ignore and pros chain into something big. On its own it looks tiny. But understand WHY it matters and you'll start collecting these (and using them to boost other bugs). Let's go.
What's An Open Redirect?
Lots of sites redirect you around. Like after login: site.com/login?redirect=/dashboard โ the site sends you to /dashboard after you log in.
An open redirect is when you can change that destination to ANY website โ including an attacker's:
site.com/login?redirect=https://evil.com
If the site happily sends you off to evil.com, that's an open redirect. The site trusted the redirect value without checking it. โก๏ธ
"So What? It's Just A Redirect"
That's what everyone says. Here's why it actually matters:
- Phishing: the link starts with the REAL, trusted domain (
site.com/...), so victims trust it โ then get bounced to a fake login page. Way more convincing than a random evil link. - Token theft: if the redirect carries auth tokens or codes, you can steal them by redirecting to your server. This is the big one.
- Chaining: open redirects supercharge OTHER bugs โ especially OAuth flows and SSRF. A "low" bug becomes part of a "critical" chain.
Where To Find Them
Look for parameters that control where you go:
?redirect=,?url=,?next=,?return=,?returnUrl=,?dest=,?continue=- Login and logout flows
- OAuth/SSO flows (the juiciest โ tokens fly around here)
- "Click here to continue" links
How To Hunt It
- Spot a redirect parameter
- Change its value to an external domain you control (
https://yoursite.com) - Follow the request โ does it send you to your domain?
- If yes โ open redirect โ
- Now think CHAIN: is this in an OAuth flow? Does a token come along for the ride? That's where it gets valuable
The Bypass Game
Sites try to block external redirects. Common bypasses when basic ones fail: //evil.com (protocol-relative), https:evil.com, https://site.com.evil.com, https://site.com@evil.com. The filter usually checks for the obvious cases and forgets the weird ones.
My Honest Tip
Don't report a plain open redirect and stop there โ many programs rate it low or out of scope alone. Instead, ALWAYS ask "what can I chain this into?" An open redirect inside an OAuth flow that leaks an access token? That's no longer a tiny bug. That's a payday. The skill is in the chaining.
Next post: authentication bypass tricks โ getting in without the keys.
Redirect with purpose! โก๏ธ